|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74139 mail.add_x_header default inconsistent with docs
Submitted: 2017-02-21 09:10 UTC Modified: 2018-03-13 22:48 UTC
From: marcus at synchromedia dot co dot uk Assigned: cmb (profile)
Status: Closed Package: Mail related
PHP Version: 7.1.2 OS: All
Private report: No CVE-ID: None
 [2017-02-21 09:10 UTC] marcus at synchromedia dot co dot uk
On the documentation page for mail() runtime configuration, it says that the `mail.add_x_header` config option is `0` by default, however, it is set to `On` in the php.ini development and production ini files provided with PHP, and as a consequence, defaults to that value in every packaged version of PHP I've found. This is a security risk as it represents an unnecessary leak of information (disclosing both PID and script name) that may be of use to attackers.


Default php.ini:

As well as being a minor security risk, the addition of this header is done incorrectly in PHP versions between 7.0.0 - 7.0.16 and 7.1.0 - 7.1.2 since the header addition uses an incorrect line break format (see bug This was fixed in PHP 7.1.3 and 7.0.17. This bug, when combined with the inconsistent ini setting will result in mail sending failures or corrupted messages in affected PHP versions.

An appropriate fix would be to set the default in provided php.ini files to the value described in documentation, i.e. `mail.add_x_header = 0`.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-13 22:46 UTC]
-Status: Open +Status: Verified -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2018-03-13 22:46 UTC]
Thanks for the report – and sorry for the late reply!

While I certainly agree that the respective values in the default
php.inis should be fixed (since mail.add_x_header actually
defaults to 0[1]), I don't think this qualifies a security issue,
since the possibly leaking information is rather humble, and users
are supposed to be aware of such information leakage.

[1] <>
 [2018-03-13 22:48 UTC]
-Summary: mail.add_x_header default inconsistent with docs, presents minor security risk +Summary: mail.add_x_header default inconsistent with docs
 [2018-03-13 23:02 UTC]
Automatic comment on behalf of
Log: Fix #74139: mail.add_x_header default inconsistent with docs [ci skip]
 [2018-03-13 23:02 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon May 29 10:03:44 2023 UTC