Hi all, On Mon, Aug 8, 2016 at 8:33 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > disabled \r\n injections, that could override hole contents of mail, > by checking string extra headers for mail/mb_send_mail already. > > Extra mail headers could be checked more by having array extra headers. > > https://bugs.php.net/bug.php?id=69791 > https://github.com/php/php-src/pull/2060 > > This patch accepts both "string"(current) and "array"(new) extra > headers. It does a lot more checks than string version. > > I spend only few hours including research for this, so it might > contain mistakes. > Please review. I'll merge this to master within a week or so. > > Thank you. > > P.S. Even with array extra headers, it cannot prevent unwanted mail > header injections. e.g. Attackers may inject unwanted 'bcc' headers > with bad code. However, it does better job than string only extra > headers.
I'm confident the feature now. I'll merge the PR to master https://github.com/php/php-src/pull/2060 in a few days. If anyone feel there should be RFC, please let me know. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
