David T-G wrote:
I'd like some sanity checks on safely using input for sending mail. I'm developing a feature where one can click a 'mail this page' link, fill in the sender's and the recipient[s]'s addresses, and add comments in the body (eg "Hey, Bill, what do you think of this chair?") and then generate the email. I want to watch out for gotchas.
At the moment, I am running escapeshellcmd() on the From:, To:, Subject:, url, and body fields, and limiting the recipient field to 255 chars (enough for about half a dozen addresses, I figure) to prevent being used for massmailing (though I haven't yet figured out how to keep from being called repeatedly, but at least that's just as hard for the spammer as his own bandwidth limits). Unfortunately, escapeshellcmd() also escapes the ? and &s in the URL and breaks it; I think it will have to go away. I'm also ready to believe that I've overlooked half a dozen other things.
How would you guys tackle this?
This isn't what escapeshellcmd() is for; not sure why you chose that one.
Are you sending this as an HTML or Text email? Either way, you control the body of the email (the page that's being sent), so you don't really have to worry about that.
If you're sending an HTML mail, then use htmlentities() on the text before putting it in the email. If you're sending a text email, then you can strip_tags() from it.
The biggest thing to look our for is mail header injection. If you're taking any user input and putting it into the headers (from, to, subject, etc), then newlines need to be stripped. You're allowing the user to set the To: address, I assume (the recipients). If you're sticking that $to varable from the user directly into mail(), you could be vulnerable (same if you create a From: header or use user input in the subject).
For example, say you're collecting my email address for the From: header.
$headers .= "From: {$_POST['email']}\r\n";You're probably using a regular text input for this, so you're thinking $_POST['email'] can only be one line, but that's not the case. I can duplicate your form and make it a textarea or just do a direct connection to your server and supply any data I want. So, I send the following value for my "email":
[EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: My Own Subject Content-Type: text/html
This is my own body with malicious intent?? <!--
All of that now get's shoved into the "From" header, but since there are newlines, you're allowing me to create more headers than just From:. I can set any other header, including To:, Cc:, etc. I can even include the body if I include two newlines and then put a comment or a ton of newlines at the end to hide the actual content you'll put in later.
So strip newlines from user input or reject input if it contains newlines.
str_replace(array("\r","\n",'',$text)Is one way to do it.
If I left anything out, I'm sure Chris will jump on it. :)
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
