Make WordPress Core

Opened 13 years ago

Closed 12 years ago

Last modified 12 years ago

#19719 closed enhancement (invalid)

PHPMailer allows invalid characters in display-name

Reported by: dllh's profile dllh Owned by: westi's profile westi
Milestone: Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: has-patch
Focuses: Cc:

Description

RFC5322 defines the display name portion of an email address as follows:

display-name => phrase
phrase => word / obs-phrase
obs-phrase => word / whitespace / dot
word => atom / quoted strings
atom => whitespace / atext
atext => 

                       ALPHA / DIGIT /    ; Printable US-ASCII
                       "!" / "#" /        ;  characters not including
                       "$" / "%" /        ;  specials.  Used for atoms.
                       "&" / "'" /
                       "*" / "+" /
                       "-" / "/" /
                       "=" / "?" /
                       "^" / "_" /
                       "`" / "{" /
                       "|" / "}" /
                       "~"

So, the display-name can contain the list of characters defined as atext plus dots plus whitespace plus quoted stringss.

Notable exclusions include things like >, <, ( and ). At present, PHPMailer does no validation of the display-name field. The attached patch adds validation that does the following:

  • Make sure we decode any utf8 characters
  • Compare the original value against a value with invalid characters stripped out
  • Fail validation if the original and the stripped version do not match (ie, we stripped something invalid, so the string must have been invalid)

The patch does not handle assuring proper pairing of quoted strings (it doesn't validate that quotes nest properly or occur only in pairs).

The following code works for testing the patch:

<?php

require_once 'class-phpmailer.php';
require_once 'class-smtp.php';

$to_address = 'dllh@mailinator.com';
$to_name = 'DLLH';
$from_address = 'dllh@mailinator.com';
$from_name = 'DLLH test';
$subject = 'PHPMailer display-name validation test';
$body = "To Address: $to_address\nTo Name: $to_name\nFrom Address: $from_address\nFrom Name: $from_name";

try {
        $phpmailer = new PHPMailer( true );
        $phpmailer->AddAddress( $to_address, $to_name );
        $phpmailer->SetFrom( $from_address, $from_name );
        $phpmailer->Subject = $subject;
        $phpmailer->Body = $body;
        $phpmailer->Send();
} catch ( phpmailerException $e ) {
        print_r( $e->getMessage() );
}

To provoke an error, add a disallowed character such as > or ) to one of the _name variables. The code will bail with an invalid_display_name exception.

Attachments (1)

phpmailer-display-name-validation.patch (2.1 KB) - added by dllh 13 years ago.
Adds display name validation

Download all attachments as: .zip

Change History (3)

@dllh
13 years ago

Adds display name validation

#1 @c3mdigital
12 years ago

  • Keywords close added; has-patch needs-testing removed
  • Resolution set to invalid
  • Status changed from new to closed

The display name or "FromName" is ran through the EncodeHeader method which does validation of display name. See: http://sourceforge.net/p/phpmailer/bugs/207/

dllh,
If you feel this is still an issue you might get better response and feedback by opening an issue on the phpmailer github repository, https://github.com/PHPMailer/PHPMailer/issues

#2 @SergeyBiryukov
12 years ago

  • Keywords has-patch added; close removed
  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.