Curt Zirzow wrote:
* Thus wrote Jordi Canals:
Jordi Canals wrote:
Should I filter all CR and LF Just in headers or also I should do that in the message body? (Which is sent in the SMTP DATA section).
One of the things to ensure you dont do is blindly allow user entered data sending into the $headers portion of the mail() call for example:
$headers = 'CC: ' . $_POST['CC'] . "\r\n";
The user can easily trick another 'rcpt to:' or other smtp headers
into the posted CC variable.
Be expecially careful if you allow any data to the 5th parameter (the one that passes arguments to sendmail).
The $to and $subject lines get 'filtered' so \r \n or \t get translated to ' ', to prevent such injection.
Thanks, that's just I was looking for.
As I filter and check all headers, and users only can enter valid e-mail addresses (one by one), there is no possibility to enter a new RCPT TO: header. This will cause an error to the user, and the information would be discarded.
Regards, Jordi.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
