php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #44187 mail() function and newlines
Submitted: 2008-02-20 15:07 UTC Modified: 2018-03-13 17:09 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: anzenews at volja dot net Assigned: cmb (profile)
Status: Duplicate Package: Mail related
PHP Version: 5.2.5 OS: *
Private report: No CVE-ID: None
 [2008-02-20 15:07 UTC] anzenews at volja dot net
Description:
------------
Most of PHP users are unaware of security implications of such "Send 
to friend" scripts:
<?
  mail($_POST['send_to_friend'],$_POST['subject'],$_POST['message']);
?>

I propose change of parameters to mail(): 
mail(array $to, string $subject, string $message[, array 
$additional_headers [, string $additional_parameters ]] );

The function should throw a warning if there is a newline anywhere, 
even inside arrays, and should not process the mail. 

I agree that the programmer should know its tools, BUT:
- the fact is that most of PHP users don't
- most of the TUTORIALS are insecure! A quick search for "PHP mail 
example" reveals many prominent pages with such examples. 

This is a huge problem and spammers are abusing it extensively.

As this will undoubtedly break some of the scripts (though the fix 
should be easy) I suggest adding a configuration statement that 
enables such mail() behaviour,

Reproduce code:
---------------
<?
  // $POST['send_to_friend'] == "me@example.com\r\n"."
  //                            "BCC: you@example.com";
  mail($_POST['send_to_friend'],$_POST['subject'],$_POST['message']);
?>

Expected result:
----------------
Warning: newline in mail() function, line... 
Mail not sent or everything after newline ignored.

Actual result:
--------------
Mail sent to me@example.com and to you@example.com.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-05-19 17:30 UTC] lukas dot starecek at centrum dot cz
Be careful with that. There have to be newlines in subject if subject is too long (see RFC 2047), but there must not be two newlines consecutively (two consecutive new lines are header separator).
 [2011-02-21 20:50 UTC] jani@php.net
-Package: Feature/Change Request +Package: Mail related -Operating System: any +Operating System: *
 [2018-03-13 16:47 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2018-03-13 16:47 UTC] cmb@php.net
Basically, this is a duplicate of bug #68776.

Changing $additional_headers to array would require the RFC
process[1].  Anybody is welcome to start it for this issue.

[1] <https://wiki.php.net/rfc/howto>
 [2018-03-13 16:53 UTC] spam2 at rhsoft dot net
instead a RFC for change a param mail() should be deprecated and finally removed at all

phpMailer exists forever and supports SMTP the same way on all operating systems and i *never* used mail() at all because i try to know my tools - the outcome was from the very begin switch to phpMailer and add "mail" to "disable_functions" as soon as i took over administration too or better said years before by explain the admin that every script using that function is high likely vulnerable
 [2018-03-13 17:09 UTC] cmb@php.net
> Changing $additional_headers to array would require the RFC
> process […]

Well, actually, $additional_headers may be passed as array as of
PHP 7.2.0, see
<http://git.php.net/?p=php-src.git;a=blob;f=UPGRADING;h=feef5d61c8d80f42e0e696888fd344a8b03406ba;hb=6e530502d24ba7836efc7a99c46a60f367bede13>

> instead a RFC for change a param mail() should be deprecated and
> finally removed at all

Feel free to start the RFC process for this. :)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Mar 26 14:01:27 2019 UTC