php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74139 mail.add_x_header default inconsistent with docs
Submitted: 2017-02-21 09:10 UTC Modified: 2018-03-13 22:48 UTC
From: marcus at synchromedia dot co dot uk Assigned: cmb (profile)
Status: Closed Package: Mail related
PHP Version: 7.1.2 OS: All
Private report: No CVE-ID: None
 [2017-02-21 09:10 UTC] marcus at synchromedia dot co dot uk
Description:
------------
On the documentation page for mail() runtime configuration, it says that the `mail.add_x_header` config option is `0` by default, however, it is set to `On` in the php.ini development and production ini files provided with PHP, and as a consequence, defaults to that value in every packaged version of PHP I've found. This is a security risk as it represents an unnecessary leak of information (disclosing both PID and script name) that may be of use to attackers.

Docs:
http://php.net/manual/en/mail.configuration.php#ini.mail.add-x-header

Default php.ini:
https://github.com/php/php-src/blob/master/php.ini-production#L1052

As well as being a minor security risk, the addition of this header is done incorrectly in PHP versions between 7.0.0 - 7.0.16 and 7.1.0 - 7.1.2 since the header addition uses an incorrect line break format (see bug https://bugs.php.net/bug.php?id=74005). This was fixed in PHP 7.1.3 and 7.0.17. This bug, when combined with the inconsistent ini setting will result in mail sending failures or corrupted messages in affected PHP versions.

An appropriate fix would be to set the default in provided php.ini files to the value described in documentation, i.e. `mail.add_x_header = 0`.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-13 22:46 UTC] cmb@php.net
-Status: Open +Status: Verified -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2018-03-13 22:46 UTC] cmb@php.net
Thanks for the report – and sorry for the late reply!

While I certainly agree that the respective values in the default
php.inis should be fixed (since mail.add_x_header actually
defaults to 0[1]), I don't think this qualifies a security issue,
since the possibly leaking information is rather humble, and users
are supposed to be aware of such information leakage.

[1] <https://github.com/php/php-src/blob/PHP-7.2.4/main/main.c#L613>
 [2018-03-13 22:48 UTC] cmb@php.net
-Summary: mail.add_x_header default inconsistent with docs, presents minor security risk +Summary: mail.add_x_header default inconsistent with docs
 [2018-03-13 23:02 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=25f324fad7f2d753d1d8c87035a059f16cd7799c
Log: Fix #74139: mail.add_x_header default inconsistent with docs [ci skip]
 [2018-03-13 23:02 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Jul 17 06:01:44 2018 UTC