NYCPHP Meetup

NYPHP.org

[nycphp-talk] Filtering input to be appended inside email

Mikko Rantalainen mikko.rantalainen at peda.net
Thu Sep 15 05:04:16 EDT 2005


Daniel Convissor wrote:
> Hey Mikko:
> On Tue, Sep 13, 2005 at 05:19:18PM +0300, Mikko Rantalainen wrote:
> 
>>	# header cannot contain CRLF
>>	# our implementation strips out CRs, make sure all LFs
>>	# are safe and reinserts CRs
>>	$value = preg_replace("@\r@","",trim($value));
>>	$value = preg_replace("@\n@","\n ",$value);
>>	$value = preg_replace("@\n@","\r\n",$value);
> 
> That can be done in one call (untested):
>     $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value));

Yeah, that can be done in one call, but let's include the 'g' so 
that we are safe even if the input includes multiple lines of text. 
Also, allow multiple linefeeds to follow each other without 
discarding information (if input has "\r\n\r\n\r\n" then output 
should have "\r\n \r\n \r\n").

Let's try again:
   $value = preg_replace("#\r*\n#g", "\r\n ", trim($value));

Note that this version still allows invalid input such as 
"word1\rword2".

Even if you decide to use the original version with three 
preg_replace()s, add the missing 'g's after second @.

> I see the point of this is putting a space at the beginning of the line so 
> the input doesn't get interpreted as a new header line.  But in my 
> opinion, when user input is involved, allowing \r or \n isn't wise in the 
> first place.

See the RFC 2822. Including line feeds is okay as long as the next 
line starts with a space. I'm always trying to make the most generic 
function that's still safe without discarding any information that I 
can still keep (in this case, LFs).

-- 
Mikko



More information about the talk mailing list