Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94907 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11662 invoked from network); 7 Aug 2016 23:34:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Aug 2016 23:34:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:44581] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A5/26-33134-975C7A75 for ; Sun, 07 Aug 2016 19:34:19 -0400 Received: (qmail 45786 invoked by uid 89); 7 Aug 2016 23:34:13 -0000 Received: from unknown (HELO mail-qt0-f180.google.com) (yohgaki@ohgaki.net@209.85.216.180) by 0 with ESMTPA; 7 Aug 2016 23:34:13 -0000 Received: by mail-qt0-f180.google.com with SMTP id x25so196787214qtx.2 for ; Sun, 07 Aug 2016 16:34:12 -0700 (PDT) X-Gm-Message-State: AEkoouv0i4F7I+DSRZiT12OUc73WHrs2CbfCFe3yaunITDVD6bRBu/ksaR21+xhz0jbXN77XG58Dl0pI57G0hQ== X-Received: by 10.237.53.206 with SMTP id d14mr25564977qte.83.1470612847325; Sun, 07 Aug 2016 16:34:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Sun, 7 Aug 2016 16:33:26 -0700 (PDT) Date: Mon, 8 Aug 2016 08:33:26 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Disabling mail header injections via extra(additional) headers. From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, I disabled \r\n injections, that could override hole contents of mail, by checking string extra headers for mail/mb_send_mail already. Extra mail headers could be checked more by having array extra headers. https://bugs.php.net/bug.php?id=69791 https://github.com/php/php-src/pull/2060 This patch accepts both "string"(current) and "array"(new) extra headers. It does a lot more checks than string version. I spend only few hours including research for this, so it might contain mistakes. Please review. I'll merge this to master within a week or so. Thank you. P.S. Even with array extra headers, it cannot prevent unwanted mail header injections. e.g. Attackers may inject unwanted 'bcc' headers with bad code. However, it does better job than string only extra headers. -- Yasuo Ohgaki yohgaki@ohgaki.net