From: oliver dot block at lycos dot de Operating system: Unix PHP version: 5.1.2 PHP Bug Type: IMAP related Bug description: imap_header - malicious processing of multiple 'from'-headers
Description: ------------ When someone send mail with multiple from-header containing mulitple mailboxes, for example: From: name1 <[EMAIL PROTECTED]>, name2 <[EMAIL PROTECTED]>, name3 <[EMAIL PROTECTED]> the function imap_header() (maybe others too) should keep this edresses in the from-field. Unfortunately the imap_function does not keep this data in the from-field, but in the _sender_ field. The same is applicable to fromaddress and senderaddress fields! Reproduce code: --------------- <?php $stream = imap_open($server,$username,$password); $header = imap_header($stream, $msgno); // $msgno is a valid message no to a message with multiple mailboxes in 'From:' header field print "<html><head><head><body><pre>"; print_r($header); print "</pre></body></html>"; imap_close($stream); ?> Expected result: ---------------- [from] => Array [0] => stdClass Object ( [personal] => name1 [mailbox] => mbox1 [host] => hotmail.com ) [1] => stdClass Object ( [personal] => name2 [mailbox] => mbox2 [host] => yahoo.com ) [2] => stdClass Object ( [personal] => name3 [mailbox] => mbox3 [host] => web.de ) Actual result: -------------- [sender] => Array [0] => stdClass Object ( [personal] => name1 [mailbox] => mbox1 [host] => hotmail.com ) [1] => stdClass Object ( [personal] => name2 [mailbox] => mbox2 [host] => yahoo.com ) [2] => stdClass Object ( [personal] => name3 [mailbox] => mbox3 [host] => web.de ) -- Edit bug report at http://bugs.php.net/?id=37109&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=37109&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=37109&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=37109&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=37109&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=37109&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=37109&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=37109&r=needscript Try newer version: http://bugs.php.net/fix.php?id=37109&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=37109&r=support Expected behavior: http://bugs.php.net/fix.php?id=37109&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=37109&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=37109&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=37109&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37109&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=37109&r=dst IIS Stability: http://bugs.php.net/fix.php?id=37109&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=37109&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=37109&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=37109&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=37109&r=mysqlcfg