[Solar-talk] email header injection and new email class
Paul M Jones
pmjones at solarphp.com
Sun Apr 1 10:03:34 PDT 2007
On Apr 1, 2007, at 9:52 AM, Jeff Surgeson wrote:
> My question is does the new Solar mail classes defend against
> header injection
> or do I still need to take care of this myself?
I have made attempts to prevent header injection issues. When the
email transport calls Solar_Mail_Message::fetchHeaders() to get the
headers for the message, this is what happens as the headers are
assembled into an array:
// encode all the headers so far
foreach ($headers as $key => $val) {
// val[0] is the label, val[1] is the value
$headers[$key][1] = Solar_Mail_Encoding::headerValue(
$val[0],
$val[1],
$this->_charset,
$this->_crlf
);
}
// add and encode custom headers
foreach ($this->_headers as $label => $list) {
foreach ($list as $value) {
$headers[] = array(
$label,
Solar_Mail_Encoding::headerValue(
$label,
$value,
$this->_charset,
$this->_crlf
),
);
}
}
That is, each header value is pass through the Encoding::headerValue
() method. That method is too long to paste here, but you can
examine it to see how it works. In short, it should quoted-printable
encode all portions of the header value. However, this particular
encoding method comes directly from PEAR Mail_Mime (CVS version
1.62), which now makes me concerned; I'll look through it again to
make sure it doesn't miss any \r, \n, or \r\n characters that can
lead to header injection.
Hope this helps, please let me know if it does not.
--
Paul M. Jones <http://paul-m-jones.com>
Solar: Simple Object Library and Application Repository
for PHP5. <http://solarphp.com>
Savant: The simple, elegant, and powerful solution for
templates in PHP. <http://phpsavant.com>
More information about the solar-talk
mailing list