Posted by Rik on 01/12/07 16:53

Chuck Anderson wrote:
> Rik wrote:
>> Chuck Anderson wrote:
>>
>>> If I enter "subject\r\n" in the text field and click "Send Mail" the
>>> output is:
>>>
>>> subject = subject\\r\\n
>>> subject_match = 0
>>>
>>> ..... I don't get it?! Shouldn't that be a match?
>>>
>>
>> The string '\r\n' != "\r\n"....
>>
>
> Okay, ... ... but I don't follow you. How does that apply?
>
> Isn't that how someone would inject extra headers - by entering
> \r\nbcc:.... (for instance)?
>
> How do I detect that?

They are not typing \r\n in that case. The \r and \n are a carriage
return/line feed characters. You probably cannot test this in your form, as
in a normal text input you cannot enter these characters (in a textarea you
can BTW). They can send POST data to your server without using the form
though, which is how they're able to send this newline characters.

To test this, you can either go through a lot of trouble trying to post
this to your script, but I'd go for the easy approach, make a string with a
newline in it and test this directly:

$string = "foo\r\nbar";
//or
$string = 'foo
bar';

And then check wether this string passes or not. It's not worth your effort
to mimique an evil post :-)
--
Rik Wasmus

[Back to original message]