From: anzenews at volja dot net Operating system: any PHP version: 5.2.5 PHP Bug Type: Feature/Change Request Bug description: mail() function and newlines
Description: ------------ Most of PHP users are unaware of security implications of such "Send to friend" scripts: <? mail($_POST['send_to_friend'],$_POST['subject'],$_POST['message']); ?> I propose change of parameters to mail(): mail(array $to, string $subject, string $message[, array $additional_headers [, string $additional_parameters ]] ); The function should throw a warning if there is a newline anywhere, even inside arrays, and should not process the mail. I agree that the programmer should know its tools, BUT: - the fact is that most of PHP users don't - most of the TUTORIALS are insecure! A quick search for "PHP mail example" reveals many prominent pages with such examples. This is a huge problem and spammers are abusing it extensively. As this will undoubtedly break some of the scripts (though the fix should be easy) I suggest adding a configuration statement that enables such mail() behaviour, Reproduce code: --------------- <? // $POST['send_to_friend'] == "[EMAIL PROTECTED]"." // "BCC: [EMAIL PROTECTED]"; mail($_POST['send_to_friend'],$_POST['subject'],$_POST['message']); ?> Expected result: ---------------- Warning: newline in mail() function, line... Mail not sent or everything after newline ignored. Actual result: -------------- Mail sent to [EMAIL PROTECTED] and to [EMAIL PROTECTED] -- Edit bug report at http://bugs.php.net/?id=44187&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=44187&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=44187&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=44187&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=44187&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=44187&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=44187&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=44187&r=needscript Try newer version: http://bugs.php.net/fix.php?id=44187&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=44187&r=support Expected behavior: http://bugs.php.net/fix.php?id=44187&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=44187&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=44187&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=44187&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44187&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=44187&r=dst IIS Stability: http://bugs.php.net/fix.php?id=44187&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=44187&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=44187&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=44187&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=44187&r=mysqlcfg
