Skip to content

Commit 9d168b8

Browse files
Yasuo Ohgakismalyshev
Yasuo Ohgaki
authored and
smalyshev
committed
Fixed bug #68776
1 parent eee8b6c commit 9d168b8

File tree

2 files changed

+373
-0
lines changed

2 files changed

+373
-0
lines changed

ext/standard/mail.c

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,44 @@ void php_mail_log_to_file(char *filename, char *message, size_t message_size TSR
221221
}
222222

223223

224+
static int php_mail_detect_multiple_crlf(char *hdr) {
225+
/* This function detects multiple/malformed multiple newlines. */
226+
size_t len;
227+
228+
if (!hdr) {
229+
return 0;
230+
}
231+
232+
/* Should not have any newlines at the beginning. */
233+
/* RFC 2822 2.2. Header Fields */
234+
if (*hdr < 33 || *hdr > 126 || *hdr == ':') {
235+
return 1;
236+
}
237+
238+
while(*hdr) {
239+
if (*hdr == '\r') {
240+
if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || (*(hdr+1) == '\n' && (*(hdr+2) == '\0' || *(hdr+2) == '\n' || *(hdr+2) == '\r'))) {
241+
/* Malformed or multiple newlines. */
242+
return 1;
243+
} else {
244+
hdr += 2;
245+
}
246+
} else if (*hdr == '\n') {
247+
if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || *(hdr+1) == '\n') {
248+
/* Malformed or multiple newlines. */
249+
return 1;
250+
} else {
251+
hdr += 2;
252+
}
253+
} else {
254+
hdr++;
255+
}
256+
}
257+
258+
return 0;
259+
}
260+
261+
224262
/* {{{ php_mail
225263
*/
226264
PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd TSRMLS_DC)
@@ -266,6 +304,7 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
266304

267305
efree(tmp);
268306
}
307+
269308
if (PG(mail_x_header)) {
270309
const char *tmp = zend_get_executed_filename(TSRMLS_C);
271310
char *f;
@@ -281,6 +320,11 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
281320
efree(f);
282321
}
283322

323+
if (hdr && php_mail_detect_multiple_crlf(hdr)) {
324+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Multiple or malformed newlines found in additional_header");
325+
MAIL_RET(0);
326+
}
327+
284328
if (!sendmail_path) {
285329
#if (defined PHP_WIN32 || defined NETWARE)
286330
/* handle old style win smtp sending */

ext/standard/tests/mail/mail_basic6.phpt

Lines changed: 329 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,329 @@
1+
--TEST--
2+
Test mail() function : basic functionality
3+
--INI--
4+
sendmail_path=tee mailBasic.out >/dev/null
5+
mail.add_x_header = Off
6+
--SKIPIF--
7+
<?php
8+
if(substr(PHP_OS, 0, 3) == "WIN")
9+
die("skip Won't run on Windows");
10+
?>
11+
--FILE--
12+
<?php
13+
/* Prototype : int mail(string to, string subject, string message [, string additional_headers [, string additional_parameters]])
14+
* Description: Send an email message with invalid addtional_headers
15+
* Source code: ext/standard/mail.c
16+
* Alias to functions:
17+
*/
18+
19+
echo "*** Testing mail() : basic functionality ***\n";
20+
21+
22+
// Valid header
23+
$to = 'user@example.com';
24+
$subject = 'Test Subject';
25+
$message = 'A Message';
26+
$additional_headers = "HEAD1: a\r\nHEAD2: b\r\n";
27+
$outFile = "mailBasic.out";
28+
@unlink($outFile);
29+
30+
echo "-- Valid Header --\n";
31+
// Calling mail() with all additional headers
32+
var_dump( mail($to, $subject, $message, $additional_headers) );
33+
echo file_get_contents($outFile);
34+
unlink($outFile);
35+
36+
// Valid header
37+
$additional_headers = "HEAD1: a\nHEAD2: b\n";
38+
@unlink($outFile);
39+
40+
echo "-- Valid Header --\n";
41+
// Calling mail() with all additional headers
42+
var_dump( mail($to, $subject, $message, $additional_headers) );
43+
echo @file_get_contents($outFile);
44+
@unlink($outFile);
45+
46+
// Valid header
47+
// \r is accepted as valid. This may be changed to invalid.
48+
$additional_headers = "HEAD1: a\rHEAD2: b\r";
49+
@unlink($outFile);
50+
51+
echo "-- Valid Header --\n";
52+
// Calling mail() with all additional headers
53+
var_dump( mail($to, $subject, $message, $additional_headers) );
54+
echo @file_get_contents($outFile);
55+
@unlink($outFile);
56+
57+
//===============================================================================
58+
// Invalid header
59+
$additional_headers = "\nHEAD1: a\nHEAD2: b\n";
60+
@unlink($outFile);
61+
62+
echo "-- Invalid Header - preceeding newline--\n";
63+
// Calling mail() with all additional headers
64+
var_dump( mail($to, $subject, $message, $additional_headers) );
65+
echo @file_get_contents($outFile);
66+
@unlink($outFile);
67+
68+
// Invalid header
69+
$additional_headers = "\rHEAD1: a\nHEAD2: b\r";
70+
@unlink($outFile);
71+
72+
echo "-- Invalid Header - preceeding newline--\n";
73+
// Calling mail() with all additional headers
74+
var_dump( mail($to, $subject, $message, $additional_headers) );
75+
echo @file_get_contents($outFile);
76+
@unlink($outFile);
77+
78+
// Invalid header
79+
$additional_headers = "\r\nHEAD1: a\r\nHEAD2: b\r\n";
80+
@unlink($outFile);
81+
82+
echo "-- Invalid Header - preceeding newline--\n";
83+
// Calling mail() with all additional headers
84+
var_dump( mail($to, $subject, $message, $additional_headers) );
85+
echo @file_get_contents($outFile);
86+
@unlink($outFile);
87+
88+
// Invalid header
89+
$additional_headers = "\r\n\r\nHEAD1: a\r\nHEAD2: b\r\n";
90+
@unlink($outFile);
91+
92+
echo "-- Invalid Header - preceeding newline--\n";
93+
// Calling mail() with all additional headers
94+
var_dump( mail($to, $subject, $message, $additional_headers) );
95+
echo @file_get_contents($outFile);
96+
@unlink($outFile);
97+
98+
// Invalid header
99+
$additional_headers = "\n\nHEAD1: a\r\nHEAD2: b\r\n";
100+
@unlink($outFile);
101+
102+
echo "-- Invalid Header - preceeding newline--\n";
103+
// Calling mail() with all additional headers
104+
var_dump( mail($to, $subject, $message, $additional_headers) );
105+
echo @file_get_contents($outFile);
106+
@unlink($outFile);
107+
108+
// Invalid header
109+
$additional_headers = "\r\rHEAD1: a\r\nHEAD2: b\r\n";
110+
@unlink($outFile);
111+
112+
echo "-- Invalid Header - preceeding newline--\n";
113+
// Calling mail() with all additional headers
114+
var_dump( mail($to, $subject, $message, $additional_headers) );
115+
echo @file_get_contents($outFile);
116+
@unlink($outFile);
117+
118+
// Invalid header
119+
$additional_headers = "HEAD1: a\r\n\r\nHEAD2: b\r\n";
120+
@unlink($outFile);
121+
122+
echo "-- Invalid Header - multiple newlines in the middle --\n";
123+
// Calling mail() with all additional headers
124+
var_dump( mail($to, $subject, $message, $additional_headers) );
125+
echo @file_get_contents($outFile);
126+
@unlink($outFile);
127+
128+
// Invalid header
129+
$additional_headers = "HEAD1: a\r\n\nHEAD2: b\r\n";
130+
@unlink($outFile);
131+
132+
echo "-- Invalid Header - multiple newlines in the middle --\n";
133+
// Calling mail() with all additional headers
134+
var_dump( mail($to, $subject, $message, $additional_headers) );
135+
echo @file_get_contents($outFile);
136+
@unlink($outFile);
137+
138+
// Invalid header
139+
$additional_headers = "HEAD1: a\n\nHEAD2: b\r\n";
140+
@unlink($outFile);
141+
142+
echo "-- Invalid Header - multiple newlines in the middle --\n";
143+
// Calling mail() with all additional headers
144+
var_dump( mail($to, $subject, $message, $additional_headers) );
145+
echo @file_get_contents($outFile);
146+
@unlink($outFile);
147+
148+
// Invalid header
149+
$additional_headers = "HEAD1: a\r\rHEAD2: b\r\n";
150+
@unlink($outFile);
151+
152+
echo "-- Invalid Header - multiple newlines in the middle --\n";
153+
// Calling mail() with all additional headers
154+
var_dump( mail($to, $subject, $message, $additional_headers) );
155+
echo @file_get_contents($outFile);
156+
@unlink($outFile);
157+
158+
// Invalid header
159+
$additional_headers = "HEAD1: a\n\rHEAD2: b\r\n";
160+
@unlink($outFile);
161+
162+
echo "-- Invalid Header - multiple newlines in the middle --\n";
163+
// Calling mail() with all additional headers
164+
var_dump( mail($to, $subject, $message, $additional_headers) );
165+
echo @file_get_contents($outFile);
166+
@unlink($outFile);
167+
168+
// Invalid header
169+
$additional_headers = "HEAD1: a\n\r\nHEAD2: b\r\n";
170+
@unlink($outFile);
171+
172+
echo "-- Invalid Header - multiple newlines in the middle --\n";
173+
// Calling mail() with all additional headers
174+
var_dump( mail($to, $subject, $message, $additional_headers) );
175+
echo @file_get_contents($outFile);
176+
@unlink($outFile);
177+
178+
// Invalid header
179+
// Invalid, but PHP_FUNCTION(mail) trims newlines
180+
$additional_headers = "HEAD1: a\r\nHEAD2: b\r\n\n";
181+
@unlink($outFile);
182+
183+
echo "-- Invalid Header - trailing newlines --\n";
184+
// Calling mail() with all additional headers
185+
var_dump( mail($to, $subject, $message, $additional_headers) );
186+
echo @file_get_contents($outFile);
187+
@unlink($outFile);
188+
189+
// Invalid header
190+
// Invalid, but PHP_FUNCTION(mail) trims newlines
191+
$additional_headers = "HEAD1: a\r\nHEAD2: b\n\n";
192+
@unlink($outFile);
193+
194+
echo "-- Invalid Header - trailing newlines --\n";
195+
// Calling mail() with all additional headers
196+
var_dump( mail($to, $subject, $message, $additional_headers) );
197+
echo @file_get_contents($outFile);
198+
@unlink($outFile);
199+
200+
// Invalid header
201+
// Invalid, but PHP_FUNCTION(mail) trims newlines
202+
$additional_headers = "HEAD1: a\r\nHEAD2: b\n";
203+
@unlink($outFile);
204+
205+
echo "-- Invalid Header - trailing newlines --\n";
206+
// Calling mail() with all additional headers
207+
var_dump( mail($to, $subject, $message, $additional_headers) );
208+
echo @file_get_contents($outFile);
209+
@unlink($outFile);
210+
211+
// Invalid header
212+
// Invalid, but PHP_FUNCTION(mail) trims newlines
213+
$additional_headers = "HEAD1: a\r\nHEAD2: b\r";
214+
@unlink($outFile);
215+
216+
echo "-- Invalid Header - trailing newlines --\n";
217+
// Calling mail() with all additional headers
218+
var_dump( mail($to, $subject, $message, $additional_headers) );
219+
echo @file_get_contents($outFile);
220+
@unlink($outFile);
221+
222+
?>
223+
===DONE===
224+
--EXPECTF--
225+
*** Testing mail() : basic functionality ***
226+
-- Valid Header --
227+
bool(true)
228+
To: user@example.com
229+
Subject: Test Subject
230+
HEAD1: a
231+
HEAD2: b
232+
233+
A Message
234+
-- Valid Header --
235+
bool(true)
236+
To: user@example.com
237+
Subject: Test Subject
238+
HEAD1: a
239+
HEAD2: b
240+
241+
A Message
242+
-- Valid Header --
243+
bool(true)
244+
To: user@example.com
245+
Subject: Test Subject
246+
HEAD1: aHEAD2: b
247+
248+
A Message
249+
-- Invalid Header - preceeding newline--
250+
251+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
252+
bool(false)
253+
-- Invalid Header - preceeding newline--
254+
255+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
256+
bool(false)
257+
-- Invalid Header - preceeding newline--
258+
259+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
260+
bool(false)
261+
-- Invalid Header - preceeding newline--
262+
263+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
264+
bool(false)
265+
-- Invalid Header - preceeding newline--
266+
267+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
268+
bool(false)
269+
-- Invalid Header - preceeding newline--
270+
271+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
272+
bool(false)
273+
-- Invalid Header - multiple newlines in the middle --
274+
275+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
276+
bool(false)
277+
-- Invalid Header - multiple newlines in the middle --
278+
279+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
280+
bool(false)
281+
-- Invalid Header - multiple newlines in the middle --
282+
283+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
284+
bool(false)
285+
-- Invalid Header - multiple newlines in the middle --
286+
287+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
288+
bool(false)
289+
-- Invalid Header - multiple newlines in the middle --
290+
291+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
292+
bool(false)
293+
-- Invalid Header - multiple newlines in the middle --
294+
295+
Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
296+
bool(false)
297+
-- Invalid Header - trailing newlines --
298+
bool(true)
299+
To: user@example.com
300+
Subject: Test Subject
301+
HEAD1: a
302+
HEAD2: b
303+
304+
A Message
305+
-- Invalid Header - trailing newlines --
306+
bool(true)
307+
To: user@example.com
308+
Subject: Test Subject
309+
HEAD1: a
310+
HEAD2: b
311+
312+
A Message
313+
-- Invalid Header - trailing newlines --
314+
bool(true)
315+
To: user@example.com
316+
Subject: Test Subject
317+
HEAD1: a
318+
HEAD2: b
319+
320+
A Message
321+
-- Invalid Header - trailing newlines --
322+
bool(true)
323+
To: user@example.com
324+
Subject: Test Subject
325+
HEAD1: a
326+
HEAD2: b
327+
328+
A Message
329+
===DONE===

0 commit comments

Comments
 (0)