1--TEST-- 2Bug #80710 (imap_mail_compose() header injection) - MIME Splitting Attack 3--SKIPIF-- 4<?php 5if (!extension_loaded("imap")) die("skip imap extension not available"); 6?> 7--FILE-- 8<?php 9$envelope["from"]= "joe@example.com\n From : X-INJECTED"; 10$envelope["to"] = "foo@example.com\nFrom: X-INJECTED"; 11$envelope["cc"] = "bar@example.com\nFrom: X-INJECTED"; 12$envelope["subject"] = "bar@example.com\n\n From : X-INJECTED"; 13$envelope["x-remail"] = "bar@example.com\nFrom: X-INJECTED"; 14$envelope["something"] = "bar@example.com\nFrom: X-INJECTED"; 15 16$part1["type"] = TYPEMULTIPART; 17$part1["subtype"] = "mixed"; 18 19$part2["type"] = TYPEAPPLICATION; 20$part2["encoding"] = ENCBINARY; 21$part2["subtype"] = "octet-stream\nContent-Type: X-INJECTED"; 22$part2["description"] = "some file\nContent-Type: X-INJECTED"; 23$part2["contents.data"] = "ABC\nContent-Type: X-INJECTED"; 24 25$part3["type"] = TYPETEXT; 26$part3["subtype"] = "plain"; 27$part3["description"] = "description3"; 28$part3["contents.data"] = "contents.data3\n\n\n\t"; 29 30$body[1] = $part1; 31$body[2] = $part2; 32$body[3] = $part3; 33 34echo imap_mail_compose($envelope, $body); 35?> 36--EXPECTF-- 37Warning: imap_mail_compose(): header injection attempt in from in %s on line %d 38