php-mail.patch

   1 --- php-4.3.0/ext/standard/mail.c       Thu Jan  2 12:37:54 2003
   2 +++ php-5.1.4-mail/ext/standard/mail.c  2006-06-07 17:48:45.197705968 +0300
   3 @@ -21,6 +21,8 @@
   4  #include <stdlib.h>
   5  #include <ctype.h>
   6  #include <stdio.h>
   7 +#include <syslog.h>
   8 +#include <string.h>
   9  #include "php.h"
  10  #include "ext/standard/info.h"
  11
  12 @@ -36,6 +38,9 @@
  13  #include "safe_mode.h"
  14  #include "exec.h"
  15
  16 +#include "zend_operators.h"
  17 +#include "zend_globals.h"
  18 +
  19  #if HAVE_SENDMAIL
  20  #ifdef PHP_WIN32
  21  #include "win32/sendmail.h"
  22 @@ -104,6 +109,35 @@
  23                 return;
  24         }
  25
  26 +    /* check for spam attempts with buggy webforms */
  27 +    if (strchr(to, '\n') != NULL || strchr(to, '\r') != NULL) {
  28 +        zend_error(E_WARNING, "Newlines aren't allowed in the To header. Mail not sent.");
  29 +        RETURN_FALSE;
  30 +    }
  31 +
  32 +    if (strchr(subject, '\n') != NULL || strchr(subject, '\r') != NULL) {
  33 +        zend_error(E_WARNING, "Newlines aren't allowed in the Subject header. Mail not sent.");
  34 +        RETURN_FALSE;
  35 +    }
  36 +
  37 +    /* search for to, cc or bcc headers */
  38 +    if (headers != NULL) {
  39 +        if (strncasecmp(headers, "to:", sizeof("to:") - 1) == 0 || strcasestr(headers, "\nto:")) {
  40 +            zend_error(E_WARNING, "To: headers aren't allowed in the additional_headers parameter. Mail not sent.");
  41 +            RETURN_FALSE;
  42 +        }
  43 +
  44 +        if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || strcasestr(headers, "\ncc:")) {
  45 +            zend_error(E_WARNING, "CC: headers aren't allowed in the additional_headers parameter. Mail not sent.");
  46 +            RETURN_FALSE;
  47 +        }
  48 +
  49 +        if (strncasecmp(headers, "bcc:", sizeof("bcc:") - 1) == 0 || strcasestr(headers, "\nbcc:")) {
  50 +            zend_error(E_WARNING, "BCC: headers aren't allowed in the additional_headers parameter. Mail not sent.");
  51 +            RETURN_FALSE;
  52 +        }
  53 +    }
  54 +
  55         if (to_len > 0) {
  56                 to_r = estrndup(to, to_len);
  57                 for (; to_len; to_len--) {
  58 @@ -196,8 +230,42 @@
  59                         return 0;
  60                 }
  61  #endif
  62 -               fprintf(sendmail, "To: %s\n", to);
  63 -               fprintf(sendmail, "Subject: %s\n", subject);
  64 +               TSRMLS_FETCH();
  65 +
  66 +               if ((to != NULL) && (strlen(to)!=0)) {
  67 +                       fprintf(sendmail, "To: %s\n", to);
  68 +               }
  69 +               if ((subject != NULL) && (strlen(subject)!=0)) {
  70 +                       fprintf(sendmail, "Subject: %s\n", subject);
  71 +               }
  72 +
  73 +               if (PG(http_globals)[TRACK_VARS_SERVER]) {
  74 +                       zval **remote_addr, **server_name, **server_port,
  75 +                               **script_name, **http_user_agent;
  76 +
  77 +                       if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &remote_addr)==SUCCESS) {
  78 +                               convert_to_string_ex(remote_addr);
  79 +                               fprintf(sendmail, "HTTP-Posting-Client: %s\n", Z_STRVAL_PP(remote_addr));
  80 +                       }
  81 +                       if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "SERVER_NAME", sizeof("SERVER_NAME"), (void **) &server_name)==SUCCESS) {
  82 +                               convert_to_string_ex(server_name);
  83 +                               fprintf(sendmail, "HTTP-Posting-URI: %s", Z_STRVAL_PP(server_name));
  84 +                               if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "SERVER_PORT", sizeof("SERVER_PORT"), (void **) &server_port)==SUCCESS) {
  85 +                                       convert_to_string_ex(server_port);
  86 +                                       fprintf(sendmail, ":%s", Z_STRVAL_PP(server_port));
  87 +                               }
  88 +                               if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "SCRIPT_NAME", sizeof("SCRIPT_NAME"), (void **) &script_name)==SUCCESS) {
  89 +                                       convert_to_string_ex(script_name);
  90 +                                       fprintf(sendmail, "%s", Z_STRVAL_PP(script_name));
  91 +                               }
  92 +                               fprintf(sendmail, "\n");
  93 +                       }
  94 +                       if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &http_user_agent)==SUCCESS) {
  95 +                               convert_to_string_ex(http_user_agent);
  96 +                                       fprintf(sendmail, "HTTP-Posting-User-Agent: %s\n", Z_STRVAL_PP(http_user_agent));
  97 +                       }
  98 +               }
  99 +
 100                 if (headers != NULL) {
 101                         fprintf(sendmail, "%s\n", headers);
 102                 }