The php mail() function is used in thousands of scripts. Unfortunatly many of those scripts were not written with any input validation in mind. I do realize this isn't technically a php "problem" however I recently came across a patch written by someone that makes it significantly harder to expolit the php mail() function. As an example, this exploit is made available by users who do not validate something as trivial as a "From Name" type field in a form. Any $_POST field that is blindly passed into the additional_headers argument to the mail() function opens the script up to unrestricted spam abuse. Spammers will post a full message into this $_POST field with their own headers and a mime encapsulation in order to hide the original users message. The additional_headers argument is their tool in this case. But passing in more headers and including a "\n\n" they are able to reform the message to whatever they wish. The workaround in this patch, http://www.titov.net/php-nospam.patch (please note that I did not write this patch and take no credit for it.), provides an additional check to the "to", "subject" and "additional_headers" arguments of the mail() function that disallows a "\n" in the "to" or "subject" arguments and disallows a "\n\n" to be passed into the "additional_headers" argument. I realize the problem truely lies in the script and not in the php language, however for people who host thousands of sites written by a diverse group of authors it is not a simple task to get them all properly fixed to deny this behavior. This patch would certianly help those of us who use gentoo+php on our hosting platforms. Reproducible: Always Steps to Reproduce:
g(In reply to comment #0) > I do realize this isn't technically a php "problem" Indeed. We try to provide PHP functionally matching upstream, poor programming skills is not something we should try to work around. > however I recently came across a patch written by someone that makes it >significantly harder to expolit the php mail() function. Feel free to submit this patch upstream (http://bugs.php.net/) or to http://www.hardened-php.net/, if it's accepted, then it will be automatically included in Gentoo as well. Thanks.