Re: [PHP] Embedded Email Directives
Curt Zirzow wrote: * Thus wrote Jordi Canals: Jordi Canals wrote: Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section). One of the things to ensure you dont do is blindly allow user entered data sending into the $headers portion of the mail() call for example: $headers = 'CC: ' . $_POST['CC'] . \r\n; The user can easily trick another 'rcpt to:' or other smtp headers into the posted CC variable. Be expecially careful if you allow any data to the 5th parameter (the one that passes arguments to sendmail). The $to and $subject lines get 'filtered' so \r \n or \t get translated to ' ', to prevent such injection. Thanks, that's just I was looking for. As I filter and check all headers, and users only can enter valid e-mail addresses (one by one), there is no possibility to enter a new RCPT TO: header. This will cause an error to the user, and the information would be discarded. Regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Embedded Email Directives
Jordi Canals wrote: Dennis Gearon wrote: remove carriage returns to prevent embedded email directives In an other thread, I readed that sentence. I'm interested to find more information about that. I have some mail forms and want to make them as secure and possible, but do not know about what and where should I filter. Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section). After the big threat that followed my question, just want to say a couple of things: I only wanted to know how to prevent embedded email directives sent by user, and if this directives can be found in the Headers or in the Body of message. I normally use the mail() function (In Linux) and rarely use any class to send mail. Just because all e-mail I send from a website normally is plain text with no attachments. Even sending mails in HTML had no problems if we follow the standards. The only problem I had with the function, was with a windows site and about bad header composition. I can see this is the only bug opened and assigned related to the mail function (http://bugs.php.net/bug.php?id=28038). Hope Wez will correct it some day ;) Except this case, the mail() function always worked for me. Regards, Jordi Canals -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Embedded Email Directives
* Thus wrote Jordi Canals: Jordi Canals wrote: Dennis Gearon wrote: remove carriage returns to prevent embedded email directives In an other thread, I readed that sentence. I'm interested to find more information about that. I have some mail forms and want to make them as secure and possible, but do not know about what and where should I filter. Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section). After the big threat that followed my question, just want to say a couple of things: I only wanted to know how to prevent embedded email directives sent by user, and if this directives can be found in the Headers or in the Body of message. One of the things to ensure you dont do is blindly allow user entered data sending into the $headers portion of the mail() call for example: $headers = 'CC: ' . $_POST['CC'] . \r\n; The user can easily trick another 'rcpt to:' or other smtp headers into the posted CC variable. Be expecially careful if you allow any data to the 5th parameter (the one that passes arguments to sendmail). The $to and $subject lines get 'filtered' so \r \n or \t get translated to ' ', to prevent such injection. It basically comes down to the fact that any time you are sending any sort of data to an external program, being either a shell exec, database query, mail() etc. Validation of the data should be done. Thanks for your patients.. And double thanks for bringing this topic back under control :) Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Embedded Email Directives
Hello, On 07/19/2004 10:46 PM, Jordi Canals wrote: remove carriage returns to prevent embedded email directives In an other thread, I readed that sentence. I'm interested to find more information about that. I have some mail forms and want to make them as secure and possible, but do not know about what and where should I filter. Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section). After the big threat that followed my question, just want to say a couple of things: I only wanted to know how to prevent embedded email directives sent by user, and if this directives can be found in the Headers or in the Body of message. If you do not exclude whatever characters may have special meanings in the message, undesirable effects may happen. You should not take arbitrary definitions of headers without validating them. For instance, if you are taking e-mail addresses from user input, you need to validate them for instance with a regular expression. You may also validate the actual (non-)existance of the addresses to prevent user typos by actually consulting the destination SMTP server but that may be more than what you need now. I normally use the mail() function (In Linux) and rarely use any class to send mail. Just because all e-mail I send from a website normally is plain text with no attachments. Even sending mails in HTML had no problems if we follow the standards. Following the standards today is not enough. Due to the growth of spam, many e-mail account provides have installed filters that reject messages that follow the standards and are not really spam. For instance, if you send a plain HTML message to an Hotmail account, it may end up being tagged as spam and the recipient never sees it. The only problem I had with the function, was with a windows site and about bad header composition. I can see this is the only bug opened and assigned related to the mail function (http://bugs.php.net/bug.php?id=28038). Hope Wez will correct it some day ;) Except this case, the mail() function always worked for me. Nah, the mail function does not have bugs, even less it does wrong filtering. Ask Curt, and he'll tell you it is all Manuel Lemos imagination trying to push you to his site! (sorry couldn't resist! ;-) ) Now seriously, apart from the actual bug reported above, your last remark about the Return-Path header is a result of a misunderstanding. Believe it or not, that misunderstanding is probably my fault. What happens the way to specify the bounce address where messages that can't be delivered are bounced, depends on the way you send your messages: mail() function, SMTP, sendmail program, qmail program, etc.. Those are the delivery methods that are supported by this class for composing and sending messages that I started developing in 1999. http://www.phpclasses.org/mimemessage To the bounce address delivery method independent, I have chosen the Return-Path header to specify it. Then each of the classes responsible for each delivery method process that header accordingly. However, this header is virtual. Specifying it in a message is meaningless to the SMTP protocol or any MTA. I just have chosen that header name because MTAs adds that header to the message during delivery but it does not have to be present when you pass the message to the MTA and the receiving SMTP address may remove it when the message is successfully received. You may read more about this virtual header in the documentation of this class. What happened is that some people that have read my messages telling to use this class and the Return-Path header to set the bounce address assumed that the Return-Path was something that would be interpreted by the MTA. Setting the Return-Path with the bounce address was such a good idea that several other PHP mailer classes also adopted the same convention. Bottom line, adding the Return-Path header to a message is meaningless, therefore the mail function is not expected to do anything with it. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Embedded Email Directives
* Thus wrote Manuel Lemos: Hello, Nah, the mail function does not have bugs, even less it does wrong filtering. Ask Curt, and he'll tell you it is all Manuel Lemos imagination trying to push you to his site! (sorry couldn't resist! ;-) ) Would you please desist from dragging your ego trips into all your posts and leave me out of topics unlreated to what was indiscussed earlier. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Embedded Email Directives
Dennis Gearon wrote: remove carriage returns to prevent embedded email directives In an other thread, I readed that sentence. I'm interested to find more information about that. I have some mail forms and want to make them as secure and possible, but do not know about what and where should I filter. Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section). Thanks, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
