Merge branch 'PHP-5.4' into PHP-5.4.42

smalyshev · smalyshev · commit 3a857b95cea3 · 2015-06-09T22:11:55.000-07:00
* PHP-5.4:
  add NEWS
  Fixed bug #68776
  fix test
diff --git a/NEWS b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
 - Litespeed SAPI:
   . Fixed bug #68812 (Unchecked return value). (George Wang)
 
+- Mail:
+  . Fixed bug #68776 (mail() does not have mail header injection prevention for
+    additional headers). (Yasuo)
+
 - Postgres:
   . Fixed bug #69667 (segfault in php_pgsql_meta_data). (Remi)
 
diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
@@ -15,9 +15,9 @@ $result = $doc->loadHTMLFile("");
 assert('$result === false');
 $doc = new DOMDocument();
 $result = $doc->loadHTMLFile("text.html\0something");
-assert('$result === null');
+assert('$result === false');
 ?>
 --EXPECTF--
 %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s
 
-%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s
+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Invalid file source %s
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
@@ -221,6 +221,44 @@ void php_mail_log_to_file(char *filename, char *message, size_t message_size TSR
 }
 
 
+static int php_mail_detect_multiple_crlf(char *hdr) {
+	/* This function detects multiple/malformed multiple newlines. */
+	size_t len;
+
+	if (!hdr) {
+		return 0;
+	}
+
+	/* Should not have any newlines at the beginning. */
+	/* RFC 2822 2.2. Header Fields */
+	if (*hdr < 33 || *hdr > 126 || *hdr == ':') {
+		return 1;
+	}
+
+	while(*hdr) {
+		if (*hdr == '\r') {
+			if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || (*(hdr+1) == '\n' && (*(hdr+2) == '\0' || *(hdr+2) == '\n' || *(hdr+2) == '\r'))) {
+				/* Malformed or multiple newlines. */
+				return 1;
+			} else {
+				hdr += 2;
+			}
+		} else if (*hdr == '\n') {
+			if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || *(hdr+1) == '\n') {
+				/* Malformed or multiple newlines. */
+				return 1;
+			} else {
+				hdr += 2;
+			}
+		} else {
+			hdr++;
+		}
+	}
+
+	return 0;
+}
+
+
 /* {{{ php_mail
  */
 PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd TSRMLS_DC)
@@ -266,6 +304,7 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
 
 		efree(tmp);
 	}
+
 	if (PG(mail_x_header)) {
 		const char *tmp = zend_get_executed_filename(TSRMLS_C);
 		char *f;
@@ -281,6 +320,11 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
 		efree(f);
 	}
 
+	if (hdr && php_mail_detect_multiple_crlf(hdr)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Multiple or malformed newlines found in additional_header");
+		MAIL_RET(0);
+	}
+
 	if (!sendmail_path) {
 #if (defined PHP_WIN32 || defined NETWARE)
 		/* handle old style win smtp sending */
diff --git a/ext/standard/tests/mail/mail_basic6.phpt b/ext/standard/tests/mail/mail_basic6.phpt
