hirokawa Wed Nov 23 10:16:44 2005 EDT Modified files: /php-src/ext/mbstring mbstring.c Log: fixed 5307 unexpected header can be injected to mb_send_mail(). http://cvs.php.net/diff.php/php-src/ext/mbstring/mbstring.c?r1=1.227&r2=1.228&ty=u Index: php-src/ext/mbstring/mbstring.c diff -u php-src/ext/mbstring/mbstring.c:1.227 php-src/ext/mbstring/mbstring.c:1.228 --- php-src/ext/mbstring/mbstring.c:1.227 Sat Nov 19 01:32:20 2005 +++ php-src/ext/mbstring/mbstring.c Wed Nov 23 10:16:39 2005 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: mbstring.c,v 1.227 2005/11/19 06:32:20 hirokawa Exp $ */ +/* $Id: mbstring.c,v 1.228 2005/11/23 15:16:39 hirokawa Exp $ */ /* * PHP 4 Multibyte String module "mbstring" @@ -2798,6 +2798,15 @@ */ #if HAVE_SENDMAIL +#define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos) \ + if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \ + pos += 3; \ + while (str[pos] == ' ' || str[pos] == '\t') { \ + pos++; \ + } \ + continue; \ + } + #define APPEND_ONE_CHAR(ch) do { \ if (token.a > 0) { \ smart_str_appendc(&token, ch); \ @@ -3009,6 +3018,8 @@ int subject_len; char *extra_cmd=NULL; int extra_cmd_len; + int i; + char *to_r; char *force_extra_parameters = INI_STR("mail.force_extra_parameters"); struct { int cnt_type:1; @@ -3115,7 +3126,30 @@ } /* To: */ - if (to == NULL || to_len <= 0) { + if (to != NULL) { + if (to_len > 0) { + to_r = estrndup(to, to_len); + for (; to_len; to_len--) { + if (!isspace((unsigned char) to_r[to_len - 1])) { + break; + } + to_r[to_len - 1] = '\0'; + } + for (i = 0; to_r[i]; i++) { + if (iscntrl((unsigned char) to_r[i])) { + /* According to RFC 822, section 3.1.1 long headers may be separated into + * parts using CRLF followed at least one linear-white-space character ('\t' or ' '). + * To prevent these separators from being replaced with a space, we use the + * SKIP_LONG_HEADER_SEP_MBSTRING to skip over them. + */ + SKIP_LONG_HEADER_SEP_MBSTRING(to_r, i); + to_r[i] = ' '; + } + } + } else { + to_r = to; + } + } else { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing To: field"); err = 1; } @@ -3217,7 +3251,7 @@ extra_cmd = php_escape_shell_cmd(extra_cmd); } - if (!err && php_mail(to, subject, message, headers, extra_cmd TSRMLS_CC)) { + if (!err && php_mail(to_r, subject, message, headers, extra_cmd TSRMLS_CC)) { RETVAL_TRUE; } else { RETVAL_FALSE; @@ -3226,6 +3260,9 @@ if (extra_cmd) { efree(extra_cmd); } + if (to_r != to) { + efree(to_r); + } if (subject_buf) { efree((void *)subject_buf); } @@ -3236,6 +3273,7 @@ zend_hash_destroy(&ht_headers); } +#undef SKIP_LONG_HEADER_SEP_MBSTRING #undef APPEND_ONE_CHAR #undef SEPARATE_SMART_STR #undef PHP_MBSTR_MAIL_MIME_HEADER1
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php