Hello,
On 07/17/2004 03:11 AM, Curt Zirzow wrote:
remove carriage returns to prevent embedded email directives
In an other thread, I readed that sentence. I'm interested to find more information about that. I have some mail forms and want to make them as secure and possible, but do not know about what and where should I filter.
Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section).
For SMTP, all lines should be ended with CR+LF, or else messages may be discarded by spam filters or other programs. However, if you use the mail() function it may do some filtering on its own.
The mail() function does not do any filtering.
Read the source first to learn more about it.
I have read it, and am very familiar with it.
Every time there is a post about mail() and the person is unfamiliar with properly sending SMTP headers or data to sendmail, You *claim* its a bug with php's mail() call without knowing what version of php they are using. You never ask if they are using windows which uses php's built in sendmail tool. Nor do you never ask what MTA that sendmail is really representing.
If you pay more attention you may notice that I always say that it *sounds* like a PHP bug. I am not even saying that is necessarily a PHP bug.
After almost 5 years helping people that post messages asking for help about mail function problems, it is easy for me to make early diagnostics just from the sympthoms.
If somebody presents a correctly written piece of code that uses the mail() function and still have problems, those problems have to be somewhere else than the user code. It is rarely in the involved MTA, so it may only be in the user enviroment configuration or in the PHP mail() function implementation.
Certain sympthoms are usually related to bugs in the mail() function. You do not have to be wizard to realize that, just have reasonable experience on the subject will do.
My reponses to you're email's are not targeted against you, but simply correcting the facts as of current.
So, you probably need to pay more attention because you seem to be departing from wrong assumptions.
As far as what filtering is going on, please enlighten me, this is the logic of the mail function:
I don't know what you think I mean when I say filtering. To make it clear, filtering for me is processing some input to produce some output. In this case the inputs are the mail function arguments and output is the message that is fed to the MTA. It may not only remove, but also add or change characters. All that is filtering to me.
trim leading space and make To: rfc822 compliant trim leading space and make Subject: rfc822 compliant
These actions are filtering.
open pipe to sendmail send the To: address send the Subject: if headers was sepecified, send those as well
PHP adds several line feeds. These are filtering to me as well.
send the message. close the pipe to sendmail.
Now I do wonder where in the world filtering is going on there.
What I wonder is why did you just mentioned what the mail function does when it calls sendmail!
AFAIK, PHP does not come with a built-in sendmail tool for Windows, unlike you mention above. Maybe you know something that I am not aware.
What I know is that when sendmail is not available, PHP calls Win32 code to send the message relaying in an SMTP server. There is plenty of filtering done there as you may see when reading the source.
--
Regards, Manuel Lemos
PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/
PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/
Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
