|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78617 mb_decode_mimeheader does not follow RFC2047 correctly
Submitted: 2019-10-01 09:17 UTC Modified: 2019-10-02 18:01 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: marcus at synchromedia dot co dot uk Assigned:
Status: Verified Package: mbstring related
PHP Version: 7.3.10 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: marcus at synchromedia dot co dot uk
New email:
PHP Version: OS:


 [2019-10-01 09:17 UTC] marcus at synchromedia dot co dot uk
[RFC2047 section 4.2]( describes a way of encoding 8-bit characters sets in email headers, and in PHP that's handled by the mbstring extension. In that section, spaces can be encoded using either `=20` or `_`, the latter being preferable as it is more readable and uses fewer characters. A header encoded this way might look like this:

    X-My-Header: =?us-ascii?Q?hello_world?=

(this is a simplistic example - that header value does not actually *need* RFC2047 encoding, though it is harmless)

The mb_decode_mimeheader function does not decode this correctly, leaving the underscore undecoded. It does decode the alternative `=20` syntax correctly.

A workaround is to encode the `_` as `=20` prior to decoding, as in:

    mb_decode_mimeheader(str_replace('_', '=20', 'X-My-Header: =?us-ascii?Q?hello_world?='))

Note that this should not be applied blindly because the header may not be Q-encoded in the first place.

Test script:
echo mb_decode_mimeheader('X-My-Header: =?us-ascii?Q?hello_world?=');

Expected result:
X-My-Header: hello world

Actual result:
X-My-Header: hello_world


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-01 09:33 UTC]
-Status: Open +Status: Verified -Package: Strings related +Package: mbstring related
 [2019-10-01 09:33 UTC]
Confirmed: <>.
 [2019-10-02 16:52 UTC]
The actual problem here is that MBString does not distinguish
between Quoted-Printable and Q encoding.
 [2019-10-02 18:01 UTC] marcus at synchromedia dot co dot uk
Seems a bit odd that it thinks it should use quoted printable directly in a header at all. Q encoding is a wrapper around quoted-printable - within the `=?charset?Q?...?=` container it's the same.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 09:01:28 2024 UTC