#19719 closed enhancement (invalid)
PHPMailer allows invalid characters in display-name
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | External Libraries | Keywords: | has-patch |
| Focuses: | Cc: |
Description
RFC5322 defines the display name portion of an email address as follows:
display-name => phrase
phrase => word / obs-phrase
obs-phrase => word / whitespace / dot
word => atom / quoted strings
atom => whitespace / atext
atext =>
ALPHA / DIGIT / ; Printable US-ASCII
"!" / "#" / ; characters not including
"$" / "%" / ; specials. Used for atoms.
"&" / "'" /
"*" / "+" /
"-" / "/" /
"=" / "?" /
"^" / "_" /
"`" / "{" /
"|" / "}" /
"~"
So, the display-name can contain the list of characters defined as atext plus dots plus whitespace plus quoted stringss.
Notable exclusions include things like >, <, ( and ). At present, PHPMailer does no validation of the display-name field. The attached patch adds validation that does the following:
- Make sure we decode any utf8 characters
- Compare the original value against a value with invalid characters stripped out
- Fail validation if the original and the stripped version do not match (ie, we stripped something invalid, so the string must have been invalid)
The patch does not handle assuring proper pairing of quoted strings (it doesn't validate that quotes nest properly or occur only in pairs).
The following code works for testing the patch:
<?php
require_once 'class-phpmailer.php';
require_once 'class-smtp.php';
$to_address = 'dllh@mailinator.com';
$to_name = 'DLLH';
$from_address = 'dllh@mailinator.com';
$from_name = 'DLLH test';
$subject = 'PHPMailer display-name validation test';
$body = "To Address: $to_address\nTo Name: $to_name\nFrom Address: $from_address\nFrom Name: $from_name";
try {
$phpmailer = new PHPMailer( true );
$phpmailer->AddAddress( $to_address, $to_name );
$phpmailer->SetFrom( $from_address, $from_name );
$phpmailer->Subject = $subject;
$phpmailer->Body = $body;
$phpmailer->Send();
} catch ( phpmailerException $e ) {
print_r( $e->getMessage() );
}
To provoke an error, add a disallowed character such as > or ) to one of the _name variables. The code will bail with an invalid_display_name exception.
Attachments (1)
Change History (3)
#1
@
12 years ago
- Keywords close added; has-patch needs-testing removed
- Resolution set to invalid
- Status changed from new to closed
The display name or "FromName" is ran through the EncodeHeader method which does validation of display name. See: http://sourceforge.net/p/phpmailer/bugs/207/
dllh,
If you feel this is still an issue you might get better response and feedback by opening an issue on the phpmailer github repository, https://github.com/PHPMailer/PHPMailer/issues
Adds display name validation