PHP mail() reject implicit recipients patch


If you have a PHP script that sends mail, it can often be difficult to prevent misuse by malicious users. The misuse often takes the form of additional headers being injected, for example, by supplying malformed 'from' addresses.

Of course, the correct solution is to fully sanitise all supplied data before you use it, but this can be troublesome if other people are writing PHP scripts on a server that you administer.

The Solution

This patch attempts to address this weakness by parsing the 'headers' argument to the PHP mail() function. If any implicit recipients are found in the headers, the mail() function will fail with an error:

Mail header contains implicit recipients. Mail not sent.

Of course, if you want to send mail to multiple recipients, you can still do so by listing them in the first argument to mail().

Here's the most recent versions of the patch:


This is a patch against the PHP source code. I apply it with something like:
patch -p1 < php-mail-reject-implicit-recipients.patch

See Also

You might also find the following patch useful to you:
Steve Bennett
last updated: 02/09/2006