Hi all,
I disabled \r\n injections, that could override hole contents of mail,
by checking string extra headers for mail/mb_send_mail already.
Extra mail headers could be checked more by having array extra headers.
https://bugs.php.net/bug.php?id=69791
https://github.com/php/php-src/pull/2060
This patch accepts both "string"(current) and "array"(new) extra
headers. It does a lot more checks than string version.
I spend only few hours including research for this, so it might
contain mistakes.
Please review. I'll merge this to master within a week or so.
Thank you.
P.S. Even with array extra headers, it cannot prevent unwanted mail
header injections. e.g. Attackers may inject unwanted 'bcc' headers
with bad code. However, it does better job than string only extra
headers.
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
disabled \r\n injections, that could override hole contents of mail,
by checking string extra headers for mail/mb_send_mail already.Extra mail headers could be checked more by having array extra headers.
https://bugs.php.net/bug.php?id=69791
https://github.com/php/php-src/pull/2060This patch accepts both "string"(current) and "array"(new) extra
headers. It does a lot more checks than string version.I spend only few hours including research for this, so it might
contain mistakes.
Please review. I'll merge this to master within a week or so.Thank you.
P.S. Even with array extra headers, it cannot prevent unwanted mail
header injections. e.g. Attackers may inject unwanted 'bcc' headers
with bad code. However, it does better job than string only extra
headers.
I'm confident the feature now.
I'll merge the PR to master
https://github.com/php/php-src/pull/2060
in a few days. If anyone feel there should be RFC, please let me know.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net