I am preparing the patch for PHP_5_1, PHP_5_0 and HEAD. It will be applied very soon.
Rui On Tue, 22 Nov 2005 04:01:36 +0200 (EET) Jani Taskinen <[EMAIL PROTECTED]> wrote: > > Doesn't this problem exist in PHP_5_1 branch? > > --Jani > > > On Mon, 21 Nov 2005, Rui Hirokawa wrote: > > > > > hirokawa Mon Nov 21 18:21:24 2005 EDT > > > > Modified files: (Branch: PHP_4_4) > > /php-src/ext/mbstring mbstring.c > > Log: > > fixed #35307 unexpected header can be injected to mb_send_mail() (the > > patch is made by masugata). > > > > http://cvs.php.net/diff.php/php-src/ext/mbstring/mbstring.c?r1=1.142.2.47.2.4&r2=1.142.2.47.2.5&ty=u > > Index: php-src/ext/mbstring/mbstring.c > > diff -u php-src/ext/mbstring/mbstring.c:1.142.2.47.2.4 > > php-src/ext/mbstring/mbstring.c:1.142.2.47.2.5 > > --- php-src/ext/mbstring/mbstring.c:1.142.2.47.2.4 Sat Nov 19 01:39:39 2005 > > +++ php-src/ext/mbstring/mbstring.c Mon Nov 21 18:21:19 2005 > > @@ -17,7 +17,7 @@ > > +----------------------------------------------------------------------+ > > */ > > > > -/* $Id: mbstring.c,v 1.142.2.47.2.4 2005/11/19 06:39:39 hirokawa Exp $ */ > > +/* $Id: mbstring.c,v 1.142.2.47.2.5 2005/11/21 23:21:19 hirokawa Exp $ */ > > > > /* > > * PHP4 Multibyte String module "mbstring" > > @@ -3467,6 +3467,22 @@ > > * Sends an email message with MIME scheme > > */ > > #if HAVE_SENDMAIL > > +#define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos) > > \ > > + if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || > > str[pos + 2] == '\t')) { \ > > + pos += 3; > > \ > > + while (str[pos] == ' ' || str[pos] == '\t') { \ > > + pos++; > > \ > > + } \ > > + continue; > > \ > > + } > > \ > > + else if (str[pos] == '\n' && (str[pos + 1] == ' ' || str[pos + 1] == > > '\t')) { \ > > + pos += 2; > > \ > > + while (str[pos] == ' ' || str[pos] == '\t') { \ > > + pos++; > > \ > > + } > > \ > > + continue; > > \ > > + } > > \ > > + > > PHP_FUNCTION(mb_send_mail) > > { > > int argc, n; > > @@ -3482,6 +3498,8 @@ > > mbfl_memory_device device; /* automatic allocateable buffer for > > additional header */ > > const mbfl_language *lang; > > int err = 0; > > + char *to_r; > > + int to_len, i; > > > > /* initialize */ > > mbfl_memory_device_init(&device, 0, 0); > > @@ -3508,6 +3526,32 @@ > > convert_to_string_ex(argv[0]); > > if (Z_STRVAL_PP(argv[0])) { > > to = Z_STRVAL_PP(argv[0]); > > + to_len = Z_STRLEN_PP(argv[0]); > > + if (to_len > 0) { > > + to_r = estrndup(to, to_len); > > + for (; to_len; to_len--) { > > + if (!isspace((unsigned char) to_r[to_len - 1])) > > { > > + break; > > + } > > + to_r[to_len - 1] = '\0'; > > + } > > + for (i = 0; to_r[i]; i++) { > > + if (iscntrl((unsigned char) to_r[i])) { > > + /* According to RFC 822, > > section 3.1.1 long headers may be > > +separated into > > + * parts using CRLF followed at least > > one linear-white-space > > +character ('\t' or ' '). > > + * To prevent these separators from > > being replaced with a space, > > +we use the > > + * SKIP_LONG_HEADER_SEP_MBSTRING to > > skip over them. > > + */ > > + SKIP_LONG_HEADER_SEP_MBSTRING(to_r, i); > > + to_r[i] = ' '; > > + } > > + } > > + } else { > > + to_r = to; > > + } > > } else { > > php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing To: > > field"); > > err = 1; > > @@ -3606,12 +3650,15 @@ > > extra_cmd = php_escape_shell_cmd(extra_cmd); > > } > > > > - if (!err && php_mail(to, subject, message, headers, extra_cmd > > TSRMLS_CC)) { > > + if (!err && php_mail(to_r, subject, message, headers, extra_cmd > > TSRMLS_CC)) { > > RETVAL_TRUE; > > } else { > > RETVAL_FALSE; > > } > > > > + if (to_r != to) { > > + efree(to_r); > > + } > > if (extra_cmd) { > > efree(extra_cmd); > > } > > > > > > -- > Give me your money at @ <http://pecl.php.net/wishlist.php/sniper> > Donating money may make me happier and friendlier for a limited period! > Death to all 4 letter abbreviations starting with P! > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.362 / Virus Database: 267.13.5/177 - Release Date: 2005/11/21 -- Rui Hirokawa <[EMAIL PROTECTED]> -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.5/177 - Release Date: 2005/11/21 -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
