The php mail() function is used in thousands of scripts.  Unfortunatly many of
those scripts were not written with any input validation in mind.  I do realize
this isn't technically a php "problem" however I recently came across a patch
written by someone that makes it significantly harder to expolit the php mail()
function.

As an example, this exploit is made available by users who do not validate
something as trivial as a "From Name" type field in a form.  Any $_POST field
that is blindly passed into the additional_headers argument to the mail()
function opens the script up to unrestricted spam abuse.  Spammers will post a
full message into this $_POST field with their own headers and a mime
encapsulation in order to hide the original users message.  The
additional_headers argument is their tool in this case.  But passing in more
headers and including a "\n\n" they are able to reform the message to whatever
they wish.

The workaround in this patch, http://www.titov.net/php-nospam.patch (please note
that I did not write this patch and take no credit for it.), provides an
additional check to the "to", "subject" and "additional_headers" arguments of
the mail() function that disallows a "\n" in the "to" or "subject" arguments and
disallows a "\n\n" to be passed into the "additional_headers" argument.

I realize the problem truely lies in the script and not in the php language,
however for people who host thousands of sites written by a diverse group of
authors it is not a simple task to get them all properly fixed to deny this
behavior.  This patch would certianly help those of us who use gentoo+php on our
hosting platforms.

Reproducible: Always
Steps to Reproduce: