Fixed bug #68776

ext/standard/mail.c

@@ -221,6 +221,44 @@ void php_mail_log_to_file(char *filename, char *message, size_t message_size TSR
 }
 
 
+static int php_mail_detect_multiple_crlf(char *hdr) {
+	/* This function detects multiple/malformed multiple newlines. */
+	size_t len;
+
+	if (!hdr) {
+		return 0;
+	}
+
+	/* Should not have any newlines at the beginning. */
+	/* RFC 2822 2.2. Header Fields */
+	if (*hdr < 33 || *hdr > 126 || *hdr == ':') {
+		return 1;
+	}
+
+	while(*hdr) {
+		if (*hdr == '\r') {
+			if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || (*(hdr+1) == '\n' && (*(hdr+2) == '\0' || *(hdr+2) == '\n' || *(hdr+2) == '\r'))) {
+				/* Malformed or multiple newlines. */
+				return 1;
+			} else {
+				hdr += 2;
+			}
+		} else if (*hdr == '\n') {
+			if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || *(hdr+1) == '\n') {
+				/* Malformed or multiple newlines. */
+				return 1;
+			} else {
+				hdr += 2;
+			}
+		} else {
+			hdr++;
+		}
+	}
+
+	return 0;
+}
+
+
 /* {{{ php_mail
  */
 PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd TSRMLS_DC)
@@ -266,6 +304,7 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
 
 		efree(tmp);
 	}
+
 	if (PG(mail_x_header)) {
 		const char *tmp = zend_get_executed_filename(TSRMLS_C);
 		char *f;
@@ -281,6 +320,11 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
 		efree(f);
 	}
 
+	if (hdr && php_mail_detect_multiple_crlf(hdr)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Multiple or malformed newlines found in additional_header");
+		MAIL_RET(0);
+	}
+
 	if (!sendmail_path) {
 #if (defined PHP_WIN32 || defined NETWARE)
 		/* handle old style win smtp sending */

ext/standard/tests/mail/mail_basic6.phpt

@@ -0,0 +1,329 @@
+--TEST--
+Test mail() function : basic functionality
+--INI--
+sendmail_path=tee mailBasic.out >/dev/null
+mail.add_x_header = Off
+--SKIPIF--
+<?php
+if(substr(PHP_OS, 0, 3) == "WIN")
+  die("skip Won't run on Windows");
+?>
+--FILE--
+<?php
+/* Prototype  : int mail(string to, string subject, string message [, string additional_headers [, string additional_parameters]])
+ * Description: Send an email message with invalid addtional_headers
+ * Source code: ext/standard/mail.c
+ * Alias to functions:
+ */
+
+echo "*** Testing mail() : basic functionality ***\n";
+
+
+// Valid header
+$to = 'user@example.com';
+$subject = 'Test Subject';
+$message = 'A Message';
+$additional_headers = "HEAD1: a\r\nHEAD2: b\r\n";
+$outFile = "mailBasic.out";
+@unlink($outFile);
+
+echo "-- Valid Header --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo file_get_contents($outFile);
+unlink($outFile);
+
+// Valid header
+$additional_headers = "HEAD1: a\nHEAD2: b\n";
+@unlink($outFile);
+
+echo "-- Valid Header --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Valid header
+// \r is accepted as valid. This may be changed to invalid.
+$additional_headers = "HEAD1: a\rHEAD2: b\r";
+@unlink($outFile);
+
+echo "-- Valid Header --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+//===============================================================================
+// Invalid header
+$additional_headers = "\nHEAD1: a\nHEAD2: b\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\rHEAD1: a\nHEAD2: b\r";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\r\nHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\r\n\r\nHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\n\nHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\r\rHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\r\n\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\r\n\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\n\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\r\rHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\n\rHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\n\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\r\n\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\n\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\r";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+?>
+===DONE===
+--EXPECTF--
+*** Testing mail() : basic functionality ***
+-- Valid Header --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Valid Header --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Valid Header --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: aHEAD2: b
+
+A Message
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+===DONE===