[wp-trac] [WordPress Trac] #19719: PHPMailer allows invalid characters in display-name

[WordPress Trac]

#19719: PHPMailer allows invalid characters in display-name
--------------------------------+-------------------------------------
 Reporter:  dllh                |      Owner:  westi
     Type:  enhancement         |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  External Libraries  |    Version:
 Severity:  normal              |   Keywords:  has-patch needs-testing
--------------------------------+-------------------------------------
 [http://tools.ietf.org/html/rfc5322 RFC5322] defines the display name
 portion of an email address as follows:

 {{{
 display-name => phrase
 phrase => word / obs-phrase
 obs-phrase => word / whitespace / dot
 word => atom / quoted strings
 atom => whitespace / atext
 atext =>

                        ALPHA / DIGIT /    ; Printable US-ASCII
                        "!" / "#" /        ;  characters not including
                        "$" / "%" /        ;  specials.  Used for atoms.
                        "&" / "'" /
                        "*" / "+" /
                        "-" / "/" /
                        "=" / "?" /
                        "^" / "_" /
                        "`" / "{" /
                        "|" / "}" /
                        "~"
 }}}

 So, the display-name can contain the list of characters defined as atext
 plus dots plus whitespace plus quoted stringss.

 Notable exclusions include things like >, <, ( and ). At present,
 PHPMailer does no validation of the display-name field. The attached patch
 adds validation that does the following:

 * Make sure we decode any utf8 characters
 * Compare the original value against a value with invalid characters
 stripped out
 * Fail validation if the original and the stripped version do not match
 (ie, we stripped something invalid, so the string must have been invalid)

 The patch does not handle assuring proper pairing of quoted strings (it
 doesn't validate that quotes nest properly or occur only in pairs).

 The following code works for testing the patch:

 {{{
 <?php

 require_once 'class-phpmailer.php';
 require_once 'class-smtp.php';

 $to_address = 'dllh at mailinator.com';
 $to_name = 'DLLH';
 $from_address = 'dllh at mailinator.com';
 $from_name = 'DLLH test';
 $subject = 'PHPMailer display-name validation test';
 $body = "To Address: $to_address\nTo Name: $to_name\nFrom Address:
 $from_address\nFrom Name: $from_name";

 try {
         $phpmailer = new PHPMailer( true );
         $phpmailer->AddAddress( $to_address, $to_name );
         $phpmailer->SetFrom( $from_address, $from_name );
         $phpmailer->Subject = $subject;
         $phpmailer->Body = $body;
         $phpmailer->Send();
 } catch ( phpmailerException $e ) {
         print_r( $e->getMessage() );
 }
 }}}

 To provoke an error, add a disallowed character such as > or ) to one of
 the _name variables. The code will bail with an invalid_display_name
 exception.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19719>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software