Hi all, I disabled \r\n injections, that could override hole contents of mail, by checking string extra headers for mail/mb_send_mail already.
Extra mail headers could be checked more by having array extra headers. https://bugs.php.net/bug.php?id=69791 https://github.com/php/php-src/pull/2060 This patch accepts both "string"(current) and "array"(new) extra headers. It does a lot more checks than string version. I spend only few hours including research for this, so it might contain mistakes. Please review. I'll merge this to master within a week or so. Thank you. P.S. Even with array extra headers, it cannot prevent unwanted mail header injections. e.g. Attackers may inject unwanted 'bcc' headers with bad code. However, it does better job than string only extra headers. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
