* Thus wrote Jordi Canals: > Jordi Canals wrote: > > >Dennis Gearon wrote: > > > > > remove carriage returns to prevent embedded email directives > > > >In an other thread, I readed that sentence. I'm interested to find more > >information about that. I have some mail forms and want to make them as > >secure and possible, but do not know about what and where should I filter. > > > >Should I filter all CR and LF Just in headers or also I should do that > >in the message body? (Which is sent in the SMTP DATA section). > > > After the big threat that followed my question, just want to say a > couple of things: > > I only wanted to know how to prevent embedded email directives sent by > user, and if this directives can be found in the Headers or in the Body > of message.
One of the things to ensure you dont do is blindly allow user entered data sending into the $headers portion of the mail() call for example: $headers = 'CC: ' . $_POST['CC'] . "\r\n"; The user can easily trick another 'rcpt to:' or other smtp headers into the posted CC variable. Be expecially careful if you allow any data to the 5th parameter (the one that passes arguments to sendmail). The $to and $subject lines get 'filtered' so \r \n or \t get translated to ' ', to prevent such injection. It basically comes down to the fact that any time you are sending any sort of data to an external program, being either a shell exec, database query, mail() etc. Validation of the data should be done. Thanks for your patients.. And double thanks for bringing this topic back under control :) Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
