Error with PHP mail(): Multiple or malformed newlines found in additional_header

by

Had just the similar problem.
It came out of the blue. No PHP Code was changed.

What was changed: PHP was upgraded 5.5.25-1 to 5.5.26.

A security risk in PHP mail() function has been fixed and extra newlines in additional_headers are allowed no more. Because extra newlines mean: now starts the email message (and we surely don’t want somebody to inject some newlines through headers followed by an evil message).

What previously have worked fine, e.g. just having extra newlines after headers or even passing the whole message to additional_headers, will function no more.

Solution:

  • Sanitize your headers. No multiple newlines in additional_headers argument. These count as “multiple or malformed newlines”: \r\r, \r\0, \r\n\r\n, \n\n, \n\0.
  • Use additional_headers for headers only. Email message (multipart or not, with ir without attachments, etc) belongs in message argument, not in headers.

PHP Security Bug report: https://bugs.php.net/bug.php?id=68776
C Code diff how its fixed: http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/standard/mail.c;h=448013a472a3466245e64b1cb37a9d1b0f7c007e;hp=1ebc8fecb7ef4c266a341cdc701f0686d6482242;hb=9d168b863e007c4e15ebe4d2eecabdf8b0582e30;hpb=eee8b6c33fc968ef8c496db8fb54e8c9d9d5a8f9

More Related Contents:

  1. PHP mail() works from command line but not apache
  2. The requested URL was not found on this server.
  3. Allow php sessions to carry over to subdomains
  4. How to flush output after each `echo` call?
  5. How to do URL re-writing in PHP?
  6. Htaccess: add/remove trailing slash from URL
  7. Execute PHP script in cron job
  8. index.php not loading by default
  9. URL rewriting : css, js, and images not loading
  10. How do I resolve a HTTP 414 “Request URI too long” error?
  11. Why are my PHP files showing as plain text? [duplicate]
  12. In a PHP / Apache / Linux context, why exactly is chmod 777 dangerous?
  13. how to access the command line for xampp on windows
  14. Using X-Sendfile with Apache/PHP
  15. How to prevent PHP sessions being shared between different apache vhosts?
  16. PHP emitting 500 on errors – where is this documented?
  17. Running two PHP versions on the same server
  18. Parse HTML as PHP
  19. SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  20. Unable to find the socket transport “ssl” – did you forget to enable it when you configured PHP?
  21. Apache is not running from XAMPP Control Panel ( Error: Apache shutdown unexpectedly. This may be due to a blocked port)
  22. How to manage a single PHP5 session on multiple apache servers?
  23. Enabling ‘strict_types’ globally in PHP 7
  24. Authorization header missing in PHP POST request
  25. OpenSSL not working on Windows, errors 0x02001003 0x2006D080 0x0E064002
  26. Upper memory limit for PHP/Apache
  27. Permission denied: /var/www/abc/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable?
  28. Parsing HTTP_RANGE header in PHP
  29. how to enable shell_exec and exec on php?
  30. How do I convert a PHP query string into a slash-based URL?

Leave a Comment