Edit report at http://bugs.php.net/bug.php?id=44187&edit=1
ID: 44187 Comment by: lukas dot starecek at centrum dot cz Reported by: anzenews at volja dot net Summary: mail() function and newlines Status: Open Type: Feature/Change Request Package: Feature/Change Request Operating System: any PHP Version: 5.2.5 New Comment: Be careful with that. There have to be newlines in subject if subject is too long (see RFC 2047), but there must not be two newlines consecutively (two consecutive new lines are header separator). Previous Comments: ------------------------------------------------------------------------ [2008-02-20 15:07:11] anzenews at volja dot net Description: ------------ Most of PHP users are unaware of security implications of such "Send to friend" scripts: <? mail($_POST['send_to_friend'],$_POST['subject'],$_POST['message']); ?> I propose change of parameters to mail(): mail(array $to, string $subject, string $message[, array $additional_headers [, string $additional_parameters ]] ); The function should throw a warning if there is a newline anywhere, even inside arrays, and should not process the mail. I agree that the programmer should know its tools, BUT: - the fact is that most of PHP users don't - most of the TUTORIALS are insecure! A quick search for "PHP mail example" reveals many prominent pages with such examples. This is a huge problem and spammers are abusing it extensively. As this will undoubtedly break some of the scripts (though the fix should be easy) I suggest adding a configuration statement that enables such mail() behaviour, Reproduce code: --------------- <? // $POST['send_to_friend'] == "m...@example.com\r\n"." // "BCC: y...@example.com"; mail($_POST['send_to_friend'],$_POST['subject'],$_POST['message']); ?> Expected result: ---------------- Warning: newline in mail() function, line... Mail not sent or everything after newline ignored. Actual result: -------------- Mail sent to m...@example.com and to y...@example.com. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=44187&edit=1
