From: oliver dot block at lycos dot de
Operating system: Unix
PHP version: 5.1.2
PHP Bug Type: IMAP related
Bug description: imap_header - malicious processing of multiple 'from'-headers
Description:
------------
When someone send mail with multiple from-header containing mulitple
mailboxes, for example:
From: name1 <[EMAIL PROTECTED]>, name2 <[EMAIL PROTECTED]>, name3
<[EMAIL PROTECTED]>
the function imap_header() (maybe others too) should keep this edresses in
the from-field.
Unfortunately the imap_function does not keep this data in the from-field,
but in the _sender_ field.
The same is applicable to fromaddress and senderaddress fields!
Reproduce code:
---------------
<?php
$stream = imap_open($server,$username,$password);
$header = imap_header($stream, $msgno);
// $msgno is a valid message no to a message with multiple mailboxes in
'From:' header field
print "<html><head><head><body><pre>";
print_r($header);
print "</pre></body></html>";
imap_close($stream);
?>
Expected result:
----------------
[from] => Array
[0] => stdClass Object
(
[personal] => name1
[mailbox] => mbox1
[host] => hotmail.com
)
[1] => stdClass Object
(
[personal] => name2
[mailbox] => mbox2
[host] => yahoo.com
)
[2] => stdClass Object
(
[personal] => name3
[mailbox] => mbox3
[host] => web.de
)
Actual result:
--------------
[sender] => Array
[0] => stdClass Object
(
[personal] => name1
[mailbox] => mbox1
[host] => hotmail.com
)
[1] => stdClass Object
(
[personal] => name2
[mailbox] => mbox2
[host] => yahoo.com
)
[2] => stdClass Object
(
[personal] => name3
[mailbox] => mbox3
[host] => web.de
)
--
Edit bug report at http://bugs.php.net/?id=37109&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=37109&r=trysnapshot44
Try a CVS snapshot (PHP 5.1):
http://bugs.php.net/fix.php?id=37109&r=trysnapshot51
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=37109&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=37109&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=37109&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=37109&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=37109&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=37109&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=37109&r=support
Expected behavior: http://bugs.php.net/fix.php?id=37109&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=37109&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=37109&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=37109&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37109&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=37109&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=37109&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=37109&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=37109&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=37109&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=37109&r=mysqlcfg
