|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #44187 mail() function and newlines
Submitted: 2008-02-20 15:07 UTC Modified: 2018-03-13 17:09 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: anzenews at volja dot net Assigned: cmb (profile)
Status: Duplicate Package: Mail related
PHP Version: 5.2.5 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
47 - 38 = ?
Subscribe to this entry?

 [2008-02-20 15:07 UTC] anzenews at volja dot net
Most of PHP users are unaware of security implications of such "Send 
to friend" scripts:

I propose change of parameters to mail(): 
mail(array $to, string $subject, string $message[, array 
$additional_headers [, string $additional_parameters ]] );

The function should throw a warning if there is a newline anywhere, 
even inside arrays, and should not process the mail. 

I agree that the programmer should know its tools, BUT:
- the fact is that most of PHP users don't
- most of the TUTORIALS are insecure! A quick search for "PHP mail 
example" reveals many prominent pages with such examples. 

This is a huge problem and spammers are abusing it extensively.

As this will undoubtedly break some of the scripts (though the fix 
should be easy) I suggest adding a configuration statement that 
enables such mail() behaviour,

Reproduce code:
  // $POST['send_to_friend'] == "\r\n"."
  //                            "BCC:";

Expected result:
Warning: newline in mail() function, line... 
Mail not sent or everything after newline ignored.

Actual result:
Mail sent to and to


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-05-19 17:30 UTC] lukas dot starecek at centrum dot cz
Be careful with that. There have to be newlines in subject if subject is too long (see RFC 2047), but there must not be two newlines consecutively (two consecutive new lines are header separator).
 [2011-02-21 20:50 UTC]
-Package: Feature/Change Request +Package: Mail related -Operating System: any +Operating System: *
 [2018-03-13 16:47 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2018-03-13 16:47 UTC]
Basically, this is a duplicate of bug #68776.

Changing $additional_headers to array would require the RFC
process[1].  Anybody is welcome to start it for this issue.

[1] <>
 [2018-03-13 16:53 UTC] spam2 at rhsoft dot net
instead a RFC for change a param mail() should be deprecated and finally removed at all

phpMailer exists forever and supports SMTP the same way on all operating systems and i *never* used mail() at all because i try to know my tools - the outcome was from the very begin switch to phpMailer and add "mail" to "disable_functions" as soon as i took over administration too or better said years before by explain the admin that every script using that function is high likely vulnerable
 [2018-03-13 17:09 UTC]
> Changing $additional_headers to array would require the RFC
> process […]

Well, actually, $additional_headers may be passed as array as of
PHP 7.2.0, see

> instead a RFC for change a param mail() should be deprecated and
> finally removed at all

Feel free to start the RFC process for this. :)
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 26 07:01:30 2024 UTC