Had just the similar problem.
It came out of the blue. No PHP Code was changed.
What was changed: PHP was upgraded 5.5.25-1 to 5.5.26.
A security risk in PHP mail()
function has been fixed and extra newlines in additional_headers
are allowed no more. Because extra newlines mean: now starts the email message (and we surely don’t want somebody to inject some newlines through headers followed by an evil message).
What previously have worked fine, e.g. just having extra newlines after headers or even passing the whole message to additional_headers
, will function no more.
Solution:
- Sanitize your headers. No multiple newlines in
additional_headers
argument. These count as “multiple or malformed newlines”:\r\r, \r\0, \r\n\r\n, \n\n, \n\0
. - Use
additional_headers
for headers only. Email message (multipart or not, with ir without attachments, etc) belongs inmessage
argument, not in headers.
PHP Security Bug report: https://bugs.php.net/bug.php?id=68776
C Code diff how its fixed: http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/standard/mail.c;h=448013a472a3466245e64b1cb37a9d1b0f7c007e;hp=1ebc8fecb7ef4c266a341cdc701f0686d6482242;hb=9d168b863e007c4e15ebe4d2eecabdf8b0582e30;hpb=eee8b6c33fc968ef8c496db8fb54e8c9d9d5a8f9