Posted by Chuck Anderson on 01/12/07 22:14

Rik wrote:
> Chuck Anderson wrote:
>
>> Rik wrote:
>>
>>> Chuck Anderson wrote:
>>>
>>>
>>>> If I enter "subject\r\n" in the text field and click "Send Mail" the
>>>> output is:
>>>>
>>>> subject = subject\\r\\n
>>>> subject_match = 0
>>>>
>>>> ..... I don't get it?! Shouldn't that be a match?
>>>>
>>>>
>>> The string '\r\n' != "\r\n"....
>>>
>>>
>> Okay, ... ... but I don't follow you. How does that apply?
>>
>> Isn't that how someone would inject extra headers - by entering
>> \r\nbcc:.... (for instance)?
>>
>> How do I detect that?
>>
>
> They are not typing \r\n in that case. The \r and \n are a carriage
> return/line feed characters. You probably cannot test this in your form, as
> in a normal text input you cannot enter these characters (in a textarea you
> can BTW). They can send POST data to your server without using the form
> though, which is how they're able to send this newline characters.
>
> To test this, you can either go through a lot of trouble trying to post
> this to your script, but I'd go for the easy approach, make a string with a
> newline in it and test this directly:
>
> $string = "foo\r\nbar";
> //or
> $string = 'foo
> bar';
>
> And then check wether this string passes or not. It's not worth your effort
> to mimique an evil post :-)
>

Okay, thanks. I get it now. What baffled me was just that. If I tested
by using:
$subject = "This is the Subject\r\n";
Then preg_match('`[\r\n]`',$_POST['subject']) matched. If it was POSTed
from a text field in a form it would not.

The host I'm with actually uses Apache mod_security to disallow the
string cc: to appear in *any* POST variable. But I want to make sure my
scripts are secure regardless of that. (I also think that's a bit of
annoying overkill.)

Thanks for shedding some light on that \r\n thing for me.

(I'm going to start another thread, but what got me going on this is
that someone has started using my contact form to send spam to me - and
me alone. I am tracking the usage of my script closely and I can see
that they are not even trying to use it as an open emailer. But still,
..... it's a bit annoying.)

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************

[Back to original message]