php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68776 mail() does not have mail header injection prevention for additional headers
Submitted: 2015-01-09 09:59 UTC Modified: 2015-06-25 04:24 UTC
From: yohgaki@php.net Assigned: yohgaki
Status: Closed Package: Mail related
PHP Version: Irrelevant OS: any
Private report: No CVE-ID:
 [2015-01-09 09:59 UTC] yohgaki@php.net
Description:
------------
mb_send_mail() parses additional headers and stores into hash. During the parse process, invalid headers are discarded.

However, mail() simply check \0 and strip trailing \r\n. Therefore, mail() is vulnerable to mail header injections via additional header parameter.



Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-17 18:40 UTC] cmbecker69 at gmx dot de
When passing unvalidated and unsanitized input as
$additional_headers argument, both functions are vulnerable to
email header injection. For instance:

  // $_POST['from'] == "me@example.com\r\nBcc: her@example.com"
  $from = $_POST['from'];
  mb_send_mail(
    'you@example.com', 'foo', 'bar', "From: $from"
  );
  
It seems to me that this is more of an documentation issue.
 [2015-01-25 02:57 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-01-25 03:00 UTC] yohgaki@php.net
@cmbecker69 Thanks. Sloppy reading the code.

I'll fix it anyway.
 [2015-06-01 01:12 UTC] stas@php.net
Please see my comments in git.
 [2015-06-10 04:35 UTC] stas@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d168b863e007c4e15ebe4d2eecabdf8b0582e30
Log: Fixed bug #68776
 [2015-06-10 04:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2015-06-10 04:40 UTC] stas@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d168b863e007c4e15ebe4d2eecabdf8b0582e30
Log: Fixed bug #68776
 [2015-06-10 05:12 UTC] stas@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d168b863e007c4e15ebe4d2eecabdf8b0582e30
Log: Fixed bug #68776
 [2015-06-10 07:42 UTC] tyrael@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=13fbd03e9b054c4bd71d28a0151c74a30bed3970
Log: Fixed bug #68776
 [2015-06-10 08:50 UTC] tyrael@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d168b863e007c4e15ebe4d2eecabdf8b0582e30
Log: Fixed bug #68776
 [2015-06-10 09:15 UTC] jpauli@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4bf3f646eea270d93ef6b9ebcf285c77a70a733b
Log: Fixed bug #68776
 [2015-06-23 09:45 UTC] chaos at isocity dot de
Now it has issues with:

mail('', $subject,'',imap_mail_compose($envelope, $body)));

Also this version of code:

function validateMail($str){
 return str_replace(array('\r\r','\r\0','\r\n\r\n','\n\n','\n\0'),'',$str);
}
mail('', $subject,'',validateMail(imap_mail_compose($envelope, $body))));
 [2015-06-23 11:49 UTC] yohgaki@php.net
We are aware of that.
I'm going to handle it.

https://bugs.php.net/bug.php?id=69791
 [2015-06-23 20:03 UTC] cmb@php.net
Yasuo, I assume that fixing bug #69791 will not make it possible
to pass the result of imap_mail_compose() as $additional_headers
parameter of mail(). Actually, I consider passing the body of a
mail via $additional_headers as more than doubtful.

However, the current documentation doesn't explicitly state that
this could not be done, and apparently it worked before the fix of
this bug had been applied. So this is a BC, albeit likely a very
minor one; the documentation should better be updated accordingly,
nonetheless.
 [2015-06-23 21:23 UTC] yohgaki@php.net
@cmb

I agree. Documentation must be improved. 
I'll update the doc.
 [2015-06-24 01:33 UTC] yohgaki@php.net
Done.

http://svn.php.net/viewvc?view=revision&revision=337039

Please feel free to improve anything.
 [2015-06-24 15:10 UTC] chaos at isocity dot de
Thx for response.

A short feedback here:

<?php

//Example mail with HMTL body on additional_header
$uid = md5(rand());

$to = "example@example.com";
$subject = "My subject";

$headers = 

"From: webmaster@example.com" 				. "\r\n" .

"MIME-Version: 1.0" 					. "\r\n" .
"Content-Type: multipart/mixed; boundary=\"".$uid."\""	. "\r\n" .
"This is a multi-part message in MIME format." 		. "\r\n" .
"--".$uid						. "\r\n" .
"Content-Type: TEXT/html; CHARSET=iso-8859-1" 		. "\r\n" .
"Content-Transfer-Encoding: BASE64" 			. "\r\n" .
"Content-Description: htmlpart" 			. "\r\n" .
"" 							. "\r\n" .
"=?UTF-8?B?PHN0cm9uZz50ZXN0PC9zdHJvbmc+?=" 		. "\r\n" .
"--".$uid;

mail($to,$subject,'',$headers);

?>

Warning: mail(): Multiple or malformed newlines found in additional_header in /

It seems like it doesn't matter how to perform $additional_headers if something like attachments or html-body-parts are set up.

Addition: If this line: "". "\r\n" . is been removed, the mail()-error doesn't apply. But unfortunately either no email is sent this way on one hosting plattform or the email is sent without body on the other.
 [2015-06-25 04:21 UTC] yohgaki@php.net
@chaos

We are planning to eliminate injection by this
https://bugs.php.net/bug.php?id=69791
 [2015-06-25 04:24 UTC] yohgaki@php.net
@chaos

To send multipart MIME message, users should use header and body correctly. RFC 2822 defines CRLF+CRLF as start of body. So if users are misusing $additional_headers, they have to fix their code.
 [2015-09-02 13:18 UTC] merijn at web2all dot nl
@yohgaki

regarding your last comment @chaos; 
The documentation states 'String to be inserted at the end of the email header' and it could (and has) been used to send a MIME message. 
So this injection prevention fix breaks code which worked for over 10 years. And its also in a pretty important part, the sending of mail.

I think this should not be fixed in minor release without any mention of a serious backwards compatibility break....
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Aug 19 05:01:35 2017 UTC