Per the gist provided by @Qronicle, I've created a unit test against `Zend\Mail\Message`, and a proposed fix. `Zend\Mime\Part::getHeadersAsArray()` accepts an optional argument, the line separator sequence. This defaults to `\n`, but for mail messages, should be `\r\n`. The proposed patch passes that argument when retrieving MIME headers to include in the mail message.
…g vectors This patch implements a layered approach for detecting and preventing CRLF Injection Attacks in the `Zend\Http` and `Zend\Mail` components. The approach provides utilities in each component for the following: - validating that header values follow the appropriate specification with regards to allowed characters and multiline sequences (header folding). - filtering header values according to the appropriate specification; the filtering provided is lossy, and removes any invalid characters. - asserting a header value is valid (essentially, raising an exception when invalid). All header classes have been updated to validate values (and, in the case of `Zend\Mail`, the header names as well), and to raise an exception for invalid cases. This treatment also applies to deserialization. Users must now perform one or more of the following in order to deal with invalid headers: - Wrap header operations in a try/catch block. - Perform a validation check prior to executing a header operation. - Filter values passed to header operations.