php mail header injection prevention

会有一股神秘感。 提交于 2021-02-18 19:30:19

问题


On the php manual page for mail function, there was a user comment saying "take care to prevent header injection".

In my application, I use the mail function, and the only user input I use as a parameter to the function is the email address.

I do a preliminary check of the email address using the regex ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$.

Will this also prevent against header injection?

Thanks,
jrh


回答1:


Someone would want to inject something like this:

user_address@domain.com
CC: spam_address1@domain.com, spam_address2@domain.com, spam_address3@domain.com

You do not allow \r\n which is needed for defining new header info. So your application is safe.




回答2:


Header injection is a risk only if you put user-supplied stuff inside the message headers. One tipical example is using the posted email address to set the Reply-To header.

This is what I use:

$email = preg_replace(array("/\r/i","/\n/i", "/%0a/i", "/%0d/i", "/Content-Type:/i", "/bcc:/i", "/to:/i", "/cc:/i", "/Content\-Transfer\-Encoding\:/i", "/Mime\-Version\:/i" ), "", $email); 


来源:https://stackoverflow.com/questions/2018963/php-mail-header-injection-prevention

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!