|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69791 Disallow mail header injections by extra headers
Submitted: 2015-06-10 08:42 UTC Modified: 2016-10-17 06:40 UTC
Avg. Score:4.5 ± 0.9
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: Assigned: yohgaki (profile)
Status: Closed Package: Mail related
PHP Version: master-Git-2015-06-10 (Git) OS: any
Private report: No CVE-ID: None
 [2015-06-10 08:42 UTC]
Current mail() and mb_send_mail() accepts additional headers as single string. Therefore, these functions are weak to mail header injections.

To avoid injections, mail/mb_send_mail should be able to accept additional headers as array that contains each element as single header. RFC 2822 "3.6. Field definitions" restricts certain header only once.
e.g. to, from, cc, bcc, subject, etc. 

Except these headers, mail/mb_send_mail should be able to set a headers multiple times.

Example additional headers array

$extra_headers = ["Bcc"=>"", "X-Other"=>["One", "Two"]];

Since "To" and "Subject" have dedicated parameters, $extra_headers should not contain "To" and "Subject". 

Related bugs


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-10 08:42 UTC]
-Assigned To: +Assigned To: yohgaki
 [2016-08-06 01:20 UTC]
I think this is a rather elegant solution, and it can be implemented in a sort of BC compatible way since the $extra_headers argument is expected to be a string. We could then move forward with E_DEPRECATED for sometime in 7.x and later force it to be an array.

 [2016-10-17 06:39 UTC]
-Status: Assigned +Status: Closed
 [2016-10-17 06:39 UTC]
Implemented in PHP 7.1.
 [2016-10-17 06:40 UTC]
Oops. Implemented in PHP 7.2
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC