Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.0.0

Bug #8699 slightly improved regex for header injection checking
Submitted: 2006-09-14 14:43 UTC
From: werner at seagullproject dot org Assigned: jon
Status: Closed Package: Mail (version 1.1.12)
PHP Version: 5.1.2 OS: all
Roadmaps: (Not assigned)    
Subscription  
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes. If this is not your bug, you can add a comment by following this link. If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
2006-09-15 03:50 UTC
Package:
Bug Type:
Summary:
From: werner at seagullproject dot org
New email:
PHP Version: Package Version: OS:

 

 [2006-09-14 14:43 UTC] werner at seagullproject dot org (Werner Krauss)
Description: ------------ We implemented the patch from http://pear.php.net/bugs/6229 earlier in Seagull PHP Framework and improved the regex: Currently it's: '=(<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r).*=' We have: "#((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*#i" which would also match on <lf> patch to follow

Comments

 [2006-09-14 15:10 UTC] werner at seagullproject dot org
We implemented the patch from http://pear.php.net/bugs/6229 earlier in Seagull PHP Framework and improved the regex: Currently it's: '=(<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r).*=' We have: "#((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*#i" which would also match on <lf> patch is here: http://www.netwerkstatt.at/temp/sanitise_header_improvement.diff
 [2006-09-15 03:50 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!