Hello,
On 07/19/2004 10:46 PM, Jordi Canals wrote:
After the big threat that followed my question, just want to say a couple of things:> remove carriage returns to prevent embedded email directives
In an other thread, I readed that sentence. I'm interested to find more information about that. I have some mail forms and want to make them as secure and possible, but do not know about what and where should I filter.
Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section).
I only wanted to know how to prevent embedded email directives sent by user, and if this directives can be found in the Headers or in the Body of message.
If you do not exclude whatever characters may have special meanings in the message, undesirable effects may happen. You should not take arbitrary definitions of headers without validating them.
For instance, if you are taking e-mail addresses from user input, you need to validate them for instance with a regular expression.
You may also validate the actual (non-)existance of the addresses to prevent user typos by actually consulting the destination SMTP server but that may be more than what you need now.
I normally use the mail() function (In Linux) and rarely use any class to send mail. Just because all e-mail I send from a website normally is plain text with no attachments. Even sending mails in HTML had no problems if we follow the standards.
Following the standards today is not enough. Due to the growth of spam, many e-mail account provides have installed filters that reject messages that follow the standards and are not really spam. For instance, if you send a plain HTML message to an Hotmail account, it may end up being tagged as spam and the recipient never sees it.
The only problem I had with the function, was with a windows site and about bad header composition. I can see this is the only bug opened and assigned related to the mail function (http://bugs.php.net/bug.php?id=28038). Hope Wez will correct it some day ;)
Except this case, the mail() function always worked for me.
Nah, the mail function does not have bugs, even less it does wrong filtering. Ask Curt, and he'll tell you it is all Manuel Lemos imagination trying to push you to his site! (sorry couldn't resist! ;-) )
Now seriously, apart from the actual bug reported above, your last remark about the Return-Path header is a result of a misunderstanding.
Believe it or not, that misunderstanding is probably my fault. What happens the way to specify the bounce address where messages that can't be delivered are bounced, depends on the way you send your messages: mail() function, SMTP, sendmail program, qmail program, etc.. Those are the delivery methods that are supported by this class for composing and sending messages that I started developing in 1999.
http://www.phpclasses.org/mimemessage
To the bounce address delivery method independent, I have chosen the Return-Path header to specify it. Then each of the classes responsible for each delivery method process that header accordingly. However, this header is virtual. Specifying it in a message is meaningless to the SMTP protocol or any MTA.
I just have chosen that header name because MTAs adds that header to the message during delivery but it does not have to be present when you pass the message to the MTA and the receiving SMTP address may remove it when the message is successfully received. You may read more about this virtual header in the documentation of this class.
What happened is that some people that have read my messages telling to use this class and the Return-Path header to set the bounce address assumed that the Return-Path was something that would be interpreted by the MTA. Setting the Return-Path with the bounce address was such a good idea that several other PHP mailer classes also adopted the same convention.
Bottom line, adding the Return-Path header to a message is meaningless, therefore the mail function is not expected to do anything with it.
--
Regards, Manuel Lemos
PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/
PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/
Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
