php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69791 Disallow mail header injections by extra headers
Submitted: 2015-06-10 08:42 UTC Modified: 2016-10-17 06:40 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Closed Package: Mail related
PHP Version: master-Git-2015-06-10 (Git) OS: any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yohgaki@php.net
New email:
PHP Version: OS:

 

 [2015-06-10 08:42 UTC] yohgaki@php.net
Description:
------------
Current mail() and mb_send_mail() accepts additional headers as single string. Therefore, these functions are weak to mail header injections.

To avoid injections, mail/mb_send_mail should be able to accept additional headers as array that contains each element as single header. RFC 2822 "3.6. Field definitions" restricts certain header only once. 

https://tools.ietf.org/html/rfc2822#section-3.6
e.g. to, from, cc, bcc, subject, etc. 

Except these headers, mail/mb_send_mail should be able to set a headers multiple times.

Example additional headers array

$extra_headers = ["Bcc"=>"php@php.net", "X-Other"=>["One", "Two"]];

Since "To" and "Subject" have dedicated parameters, $extra_headers should not contain "To" and "Subject". 

Related bugs
 - https://bugs.php.net/bug.php?id=15841
 - https://bugs.php.net/bug.php?id=14799
 - https://bugs.php.net/bug.php?id=68776




Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-10 08:42 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2016-08-06 01:20 UTC] kalle@php.net
I think this is a rather elegant solution, and it can be implemented in a sort of BC compatible way since the $extra_headers argument is expected to be a string. We could then move forward with E_DEPRECATED for sometime in 7.x and later force it to be an array.

+1
 [2016-10-17 06:39 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2016-10-17 06:39 UTC] yohgaki@php.net
Implemented in PHP 7.1.
 [2016-10-17 06:40 UTC] yohgaki@php.net
Oops. Implemented in PHP 7.2
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 10 03:01:29 2024 UTC