Possible PHP issue: Description: ------------ The unexpected header can be injected at the mb_send_mail function. The mail function is doing the check of the unexpected control code to "To" and "Subject". However, the mb_send_mail function isn't doing a check. By the feature of the function overload, mail function is exchanged for the mb_send_mail function. Therefore, it thinks that the check like the mail function is necessary about the mb_send_mail function, too. It is "To" that seems to need a check. The report is PHP4 but needs the same correction about PHP5.
This is not a vulnerability... untrusted user input should be checked. At most a default config issue... I would let the fix filter from upstream natural releases.
PHP please advise.
I'm with waiting for upstream on this one.
Upstream already fixed it for all releases in CVS: http://cvs.php.net/php-src/ext/mbstring/mbstring.c Atm, only PHP 5.1.1 contains the fix, PHP 5.0 will never be updated and PHP 4.4.2 will contain the fix, but there is no release date yet. I'm working on the latest revisions of dev-lang/php wich backport the fix to PHP 4.4.1, 4.3.11 and 5.0.5, as well as improve some other things like CURL/GD safe_mode/open_basedir checks, those should be ready in a few days and hit the tree on thursday I hope, along with the new PHP 5.1.1. Best regards, CHTEKK.
New revisions of dev-lang/php and PHP 5.1.1 are in the tree, wich fix this mb_send_mail() issue for all their versions, as well as some other GD/CURL safe_mode/open_basedir issues. Best regards, CHTEKK.
dev-php/php, dev-php/mod_php, and dev-php/php-cgi have been replaced by dev-lang/php. Please upgrade (following the guide at http://svn.gnqs.org/projects/gentoo-php-overlay/file/docs/php-upgrading.html?format=raw) to the new-style PHP package and open a new bug if the problem persists. Thank you.