Ticket #19719 (new enhancement)

Opened 5 months ago

PHPMailer allows invalid characters in display-name

Reported by: dllh Owned by: westi
Priority: normal Milestone: Awaiting Review
Component: External Libraries Version:
Severity: normal Keywords: has-patch needs-testing
Cc: daryl@…

Description

 RFC5322 defines the display name portion of an email address as follows: 

display-name => phrase
phrase => word / obs-phrase
obs-phrase => word / whitespace / dot
word => atom / quoted strings
atom => whitespace / atext
atext => 

                       ALPHA / DIGIT /    ; Printable US-ASCII
                       "!" / "#" /        ;  characters not including
                       "$" / "%" /        ;  specials.  Used for atoms.
                       "&" / "'" /
                       "*" / "+" /
                       "-" / "/" /
                       "=" / "?" /
                       "^" / "_" /
                       "`" / "{" /
                       "|" / "}" /
                       "~"

So, the display-name can contain the list of characters defined as atext plus dots plus whitespace plus quoted stringss.

Notable exclusions include things like >, <, ( and ). At present, PHPMailer does no validation of the display-name field. The attached patch adds validation that does the following:

  • Make sure we decode any utf8 characters
  • Compare the original value against a value with invalid characters stripped out
  • Fail validation if the original and the stripped version do not match (ie, we stripped something invalid, so the string must have been invalid)

The patch does not handle assuring proper pairing of quoted strings (it doesn't validate that quotes nest properly or occur only in pairs).

The following code works for testing the patch: 

<?php

require_once 'class-phpmailer.php';
require_once 'class-smtp.php';

$to_address = 'dllh@mailinator.com';
$to_name = 'DLLH';
$from_address = 'dllh@mailinator.com';
$from_name = 'DLLH test';
$subject = 'PHPMailer display-name validation test';
$body = "To Address: $to_address\nTo Name: $to_name\nFrom Address: $from_address\nFrom Name: $from_name";

try {
        $phpmailer = new PHPMailer( true );
        $phpmailer->AddAddress( $to_address, $to_name );
        $phpmailer->SetFrom( $from_address, $from_name );
        $phpmailer->Subject = $subject;
        $phpmailer->Body = $body;
        $phpmailer->Send();
} catch ( phpmailerException $e ) {
        print_r( $e->getMessage() );
}

To provoke an error, add a disallowed character such as > or ) to one of the _name variables. The code will bail with an invalid_display_name exception.

Attachments

phpmailer-display-name-validation.patch Download (2.1 KB) - added by dllh 5 months ago.
Adds display name validation

Change History

dllh5 months ago

Adds display name validation

Note: See TracTickets for help on using tickets.