From: s dot masugata at digicom dot dnp dot co dot jp Operating system: Solaris8 PHP version: 4.4.2RC1 PHP Bug Type: mbstring related Bug description: By the unexpected header can be injected at the mb_send_mail
Description: ------------ The unexpected header can be injected at the mb_send_mail function. The mail function is doing the check of the unexpected control code to "To" and "Subject". However, the mb_send_mail function isn't doing a check. By the feature of the function overload, mail function is exchanged for the mb_send_mail function. Therefore, it thinks that the check like the mail function is necessary about the mb_send_mail function, too. It is "To" that seems to need a check. The report is PHP4 but needs the same correction about PHP5. --- php-4.4.2RC1/ext/mbstring/mbstring.c,orig 2005-11-05 10:14:05.000000000 +0900 +++ php-4.4.2RC1/ext/mbstring/mbstring.c 2005-11-21 09:42:42.000000000 +0900 @@ -3460,6 +3460,22 @@ * Sends an email message with MIME scheme */ #if HAVE_SENDMAIL +#define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos) \ + if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \ + pos += 3; \ + while (str[pos] == ' ' || str[pos] == '\t') { \ + pos++; \ + } \ + continue; \ + } \ + else if (str[pos] == '\n' && (str[pos + 1] == ' ' || str[pos + 1] == '\t')) { \ + pos += 2; \ + while (str[pos] == ' ' || str[pos] == '\t') { \ + pos++; \ + } \ + continue; \ + } \ + PHP_FUNCTION(mb_send_mail) { int argc, n; @@ -3475,6 +3491,8 @@ mbfl_memory_device device; /* automatic allocateable buffer for additional header */ const mbfl_language *lang; int err = 0; + char *to_r; + int to_len, i; /* initialize */ mbfl_memory_device_init(&device, 0, 0); @@ -3501,6 +3519,29 @@ convert_to_string_ex(argv[0]); if (Z_STRVAL_PP(argv[0])) { to = Z_STRVAL_PP(argv[0]); + to_len = Z_STRLEN_PP(argv[0]); + if (to_len > 0) { + to_r = estrndup(to, to_len); + for (; to_len; to_len--) { + if (!isspace((unsigned char) to_r[to_len - 1])) { + break; + } + to_r[to_len - 1] = '\0'; + } + for (i = 0; to_r[i]; i++) { + if (iscntrl((unsigned char) to_r[i])) { + /* According to RFC 822, section 3.1.1 long headers may be separated into + * parts using CRLF followed at least one linear-white-space character ('\t' or ' '). + * To prevent these separators from being replaced with a space, we use the + * SKIP_LONG_HEADER_SEP_MBSTRING to skip over them. + */ + SKIP_LONG_HEADER_SEP_MBSTRING(to_r, i); + to_r[i] = ' '; + } + } + } else { + to_r = to; + } } else { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing To: field"); err = 1; @@ -3599,12 +3640,15 @@ extra_cmd = php_escape_shell_cmd(extra_cmd); } - if (!err && php_mail(to, subject, message, headers, extra_cmd TSRMLS_CC)) { + if (!err && php_mail(to_r, subject, message, headers, extra_cmd TSRMLS_CC)) { RETVAL_TRUE; } else { RETVAL_FALSE; } + if (to_r != to) { + efree(to_r); + } if (extra_cmd) { efree(extra_cmd); } Reproduce code: --------------- <?php $TO = "[EMAIL PROTECTED]: [EMAIL PROTECTED]". "Subject: SPAM Subject\n\nSPAM SPAM SPAM SPAM Body"; mb_send_mail( $TO, "TEST Subject", "TEST Body" ); // NG!! mail send. mail( $TO, "TEST Subject", "TEST Body" ); // OK!! mail not send. ?> -- Edit bug report at http://bugs.php.net/?id=35307&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=35307&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=35307&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=35307&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=35307&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=35307&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=35307&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=35307&r=needscript Try newer version: http://bugs.php.net/fix.php?id=35307&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=35307&r=support Expected behavior: http://bugs.php.net/fix.php?id=35307&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=35307&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=35307&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=35307&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35307&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=35307&r=dst IIS Stability: http://bugs.php.net/fix.php?id=35307&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=35307&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=35307&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=35307&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=35307&r=mysqlcfg