Wil*_*tin 4 php security email sanitization newline
我有一个允许一个文件附件的表单,并生成一个硬编码地址的电子邮件.我想避免恶意用户输入自定义邮件头的可能性(CRLF注入,因为电子邮件头根据RFC以\ r \n结尾,因此被调用).
假设我对每个可能进入$ additional_headers参数的数据运行以下函数:
<?php
function strip_crlf($string){ return str_replace("\r\n", "\n", $string); }
?>
这取代了CRLF对的回车一半.这会充分防止潜在的攻击吗?
通常我会用空字符串替换\ r \n.但是这种特殊形式允许一个附件,这意味着消息体实际上最终通过$ additional_headers参数传递,因为PHP没有用于构建多部分MIME编码电子邮件的本机函数(我知道).
如果有人关心,这是我邮寄附件的功能:
<?php
function mail_attachment($to, $from, $from_name, $subject, $message, $file = false, $filename = false, $filetype = false){
// Remove CRLF sequences from everything that might go into a header
$from = strip_crlf($from);
$from_name = strip_crlf($from_name);
$message = strip_crlf($message);
if($filename){ $filename = strip_crlf($filename); }
if($filetype){ $filetype = strip_crlf($filetype); }
// $to and $subject escaping handled natively by mail();
// $file is base64 encoded before mail_attachment() is called.
$header = '';
// No file attachment; just send a regular email.
if(!$file){
$header .= "From: ".$from_name." <".$from.">\r\n";
return mail($to, $subject, $message, $header);
}
$uid = md5(uniqid(time()));
// Build a MIME encoded message.
$header .= "MIME-Version: 1.0\r\n";
$header .= "Content-Type: multipart/mixed; boundary=\"$uid\"\r\n\r\n";
$header .= "This is a multi-part message in MIME format.\r\n";
$header .= "--$uid\r\n";
$header .= "Content-type:text/plain; charset=utf-8\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
$header .= "$message\r\n\r\n";
$header .= "--$uid\r\n";
$header .= "Content-Type: $filetype; name=\"$filename\"\r\n";
$header .= "Content-Transfer-Encoding: base64\r\n";
$header .= "Content-Disposition: attachment; filename=\"$filename\"\r\n\r\n";
$header .= "$file\r\n\r\n";
$header .= "--$uid--";
// Send the mail.
return mail($to, $subject, '', $header);
}
?>
| 归档时间: |
|
| 查看次数: |
2037 次 |
| 最近记录: |