php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52941 The 'iconv_mime_decode_headers' function is skipping headers
Submitted: 2010-09-28 12:24 UTC Modified: 2010-09-30 13:05 UTC
From: lomakin dot d at gmail dot com Assigned: aharvey
Status: Closed Package: ICONV related
PHP Version: 5.2.14 OS: Ubuntu Linux
Private report: No CVE-ID:
 [2010-09-28 12:24 UTC] lomakin dot d at gmail dot com
Description:
------------
The above mentioned function is skipping all headers below "Subject: =?ks_c_5601-1987?B?UkU6odk=?=". Please see the Test script for details.

Test script:
---------------
<?php

$headers = <<< HEADERS
X-Account-Key: account2
X-Mozilla-Keys:
Received: (qmail 7033 invoked from network); 22 Sep 2010 22:36:58 +0200
Received: from mailu.d-server.nl (77.243.232.197)
  by ns250.d-server.nl with (DHE-RSA-AES256-SHA encrypted) SMTP; 22 Sep 2010 22:36:58 +0200
Received-SPF: softfail (ns250.d-server.nl: transitioning SPF record at spf-d.hotmail.com does not designate 77.243.232.197 as permitted sender)
Received: from blu0-omc1-s18.blu0.hotmail.com ([65.55.116.29])
    by mailu.d-server.nl with esmtp (Exim 4.72)
    (envelope-from <ly_le41@hotmail.com>)
    id 1OyW3V-000314-PM
    for sales@d-hosting.nl; Wed, 22 Sep 2010 22:36:45 +0200
Received: from BLU143-W18 ([65.55.116.7]) by blu0-omc1-s18.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Wed, 22 Sep 2010 13:36:30 -0700
Message-ID: <BLU143-W184DCE238F5D110E30D2B789600@phx.gbl>
Content-Type: multipart/alternative;
    boundary="_5faabef1-4b2f-4c37-977f-1cac859be8fc_"
X-Originating-IP: [123.53.127.17]
From: ly le <ly_le41@hotmail.com>
To: <rita.van.hooft@raabkarcher.nl>
Subject: =?ks_c_5601-1987?B?UkU6odk=?=
Date: Wed, 22 Sep 2010 22:36:30 +0200
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 22 Sep 2010 20:36:30.0206 (UTC) FILETIME=[D64B09E0:01CB5A95]
X-Freemail-From: hotmail.com
X-OLS-BogusWarn: No x-mailer header
X-Fake-Warning: OK - 1500 points
X-Filter-ID: EBeX41zdON1/WS6F8A16Scry9n8e9nAlDAG4uEnVrxnWlQQ8DA2EuQjnekIVwEYMERWeKKG4PAQY
 Nyavp7c49MEiDeiU27bNK6MWc6r/fu8K/7rMaqpnz9Yd9XZIQkQ8USI3MwKmEUYJf9GJ38D865XI
 AbAHneIqHmkglGhfNTnUlDWGeOsBMR8LIBTuWMUK9RODrYcwiXQqz/WrUmIAZCG7X+t1TW39Ja77
 LGPpOwBMBGbLubtCpXj0DRd/MR4N8leOuAdtaqgib7p+ZzXcC1Hvcf3fM3mNrQ59Q/Suw447KKcB
 dq4z+D8utKo08iPkiypR5tCsk9GA489CmWCks4KyjhDWJzYmRAlJPR/rE/nelaj/seXgynpektoc
 ovznGplHcpVCCoX989hgB8R+yKl0dkxDswM/rxLamQaQKQP+RYfqJCPhtNgNFMaRa/ty
X-SpamExperts-Class: unsure;
X-SpamExperts-Score: 0.46817445882
X-SpamExperts-Evidence: 'ole': 0.50; 'crm114': 0.50; 'spambayes.hashed': 0.92;
 'direct': 0.50; 'spambayes.global_tokens': 0.51; 'pyzor': 0.50; 'sa': 0.00;
 'os': 0.97; 'dnsbl': 0.50; 'sender': 0.50
X-SpamExperts-Thermostat:
X-Antivirus: avast! (VPS 100922-0, 22-09-2010), Inbound message
X-Antivirus-Status: Clean
HEADERS;

$headers = iconv_mime_decode_headers($headers, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, "ISO-8859-1");

var_dump($headers);


Expected result:
----------------
The function should return an associative array containing all headers which are present in raw headers representation.

Actual result:
--------------
array
  'X-Account-Key' => string 'account2' (length=8)
  'X-Mozilla-Keys' => string '' (length=0)
  'Received' => 
    array
      0 => string '(qmail 7033 invoked from network); 22 Sep 2010 22:36:58 +0200' (length=61)
      1 => string 'from mailu.d-server.nl (77.243.232.197) by ns250.d-server.nl with (DHE-RSA-AES256-SHA encrypted) SMTP; 22 Sep 2010 22:36:58 +0200' (length=129)
      2 => string 'from blu0-omc1-s18.blu0.hotmail.com ([65.55.116.29]) by mailu.d-server.nl with esmtp (Exim 4.72) (envelope-from <ly_le41@hotmail.com>) id 1OyW3V-000314-PM for sales@d-hosting.nl; Wed, 22 Sep 2010 22:36:45 +0200' (length=210)
      3 => string 'from BLU143-W18 ([65.55.116.7]) by blu0-omc1-s18.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 22 Sep 2010 13:36:30 -0700' (length=136)
  'Received-SPF' => string 'softfail (ns250.d-server.nl: transitioning SPF record at spf-d.hotmail.com does not designate 77.243.232.197 as permitted sender)' (length=129)
  'Message-ID' => string '<BLU143-W184DCE238F5D110E30D2B789600@phx.gbl>' (length=45)
  'Content-Type' => string 'multipart/alternative; boundary="_5faabef1-4b2f-4c37-977f-1cac859be8fc_"' (length=72)
  'X-Originating-IP' => string '[123.53.127.17]' (length=15)
  'From' => string 'ly le <ly_le41@hotmail.com>' (length=27)
  'To' => string '<rita.van.hooft@raabkarcher.nl>' (length=31)
  'Subject' => string '=?ks_c_5601-1987?B?UkU6odk' (length=26)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-30 11:10 UTC] aharvey@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: aharvey
 [2010-09-30 11:10 UTC] aharvey@php.net
That's a decidedly odd encoding for the Subject -- neither iconv nor mbstring 
support it, which is presumably why the function is bailing.

Realistically, though, iconv_mime_decode_headers() should be doing something more 
useful than silently discarding the remaining results, so I'll have a looksee if 
we can at least raise an error rather than returning an incomplete result.
 [2010-09-30 13:04 UTC] aharvey@php.net
Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=303890
Log: Fixed bug #52941 (The 'iconv_mime_decode_headers' function is skipping
headers).
 [2010-09-30 13:05 UTC] aharvey@php.net
-Status: Assigned +Status: Closed
 [2010-09-30 13:05 UTC] aharvey@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Well, that ended up being a bit more interesting than I expected. The
new behaviour will be to leave the offending header undecoded if and
only if ICONV_MIME_DECODE_CONTINUE_ON_ERROR is set -- the only other
options are really to swallow the content whole, which seems even worse.
 [2011-10-02 23:12 UTC] sheldon dot chang at hyperlinked dot com
This big has become an issue for anyone still on PHP 5.2 and has PCI compliance 
concerns. PHP 5.2.x is affected and this fix was not applied to PHP 5.2 even 
though it was reported against PHP 5.2.14. It is only fixed in PHP 5.3.4 and 
above. I just tried the test script on a PHP 5.2.17 install and it failed.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 22:02:16 2014 UTC