When passing unvalidated and unsanitized input as
$additional_headers argument, both functions are vulnerable to
email header injection. For instance:

  // $_POST['from'] == "[email protected]\r\nBcc: [email protected]"
  $from = $_POST['from'];
  mb_send_mail(
    '[email protected]', 'foo', 'bar', "From: $from"
  );
  
It seems to me that this is more of an documentation issue.

@cmbecker69 Thanks. Sloppy reading the code.

I'll fix it anyway.

Please see my comments in git.

Now it has issues with:

mail('', $subject,'',imap_mail_compose($envelope, $body)));

Also this version of code:

function validateMail($str){
 return str_replace(array('\r\r','\r\0','\r\n\r\n','\n\n','\n\0'),'',$str);
}
mail('', $subject,'',validateMail(imap_mail_compose($envelope, $body))));

We are aware of that.
I'm going to handle it.

https://bugs.php.net/bug.php?id=69791

Yasuo, I assume that fixing bug #69791 will not make it possible
to pass the result of imap_mail_compose() as $additional_headers
parameter of mail(). Actually, I consider passing the body of a
mail via $additional_headers as more than doubtful.

However, the current documentation doesn't explicitly state that
this could not be done, and apparently it worked before the fix of
this bug had been applied. So this is a BC, albeit likely a very
minor one; the documentation should better be updated accordingly,
nonetheless.

@cmb

I agree. Documentation must be improved. 
I'll update the doc.

Done.

http://svn.php.net/viewvc?view=revision&revision=337039

Please feel free to improve anything.

Thx for response.

A short feedback here:

<?php

//Example mail with HMTL body on additional_header
$uid = md5(rand());

$to = "[email protected]";
$subject = "My subject";

$headers = 

"From: [email protected]" 				. "\r\n" .

"MIME-Version: 1.0" 					. "\r\n" .
"Content-Type: multipart/mixed; boundary=\"".$uid."\""	. "\r\n" .
"This is a multi-part message in MIME format." 		. "\r\n" .
"--".$uid						. "\r\n" .
"Content-Type: TEXT/html; CHARSET=iso-8859-1" 		. "\r\n" .
"Content-Transfer-Encoding: BASE64" 			. "\r\n" .
"Content-Description: htmlpart" 			. "\r\n" .
"" 							. "\r\n" .
"=?UTF-8?B?PHN0cm9uZz50ZXN0PC9zdHJvbmc+?=" 		. "\r\n" .
"--".$uid;

mail($to,$subject,'',$headers);

?>

Warning: mail(): Multiple or malformed newlines found in additional_header in /

It seems like it doesn't matter how to perform $additional_headers if something like attachments or html-body-parts are set up.

Addition: If this line: "". "\r\n" . is been removed, the mail()-error doesn't apply. But unfortunately either no email is sent this way on one hosting plattform or the email is sent without body on the other.

@chaos

We are planning to eliminate injection by this
https://bugs.php.net/bug.php?id=69791

@chaos

To send multipart MIME message, users should use header and body correctly. RFC 2822 defines CRLF+CRLF as start of body. So if users are misusing $additional_headers, they have to fix their code.

@yohgaki

regarding your last comment @chaos; 
The documentation states 'String to be inserted at the end of the email header' and it could (and has) been used to send a MIME message. 
So this injection prevention fix breaks code which worked for over 10 years. And its also in a pretty important part, the sending of mail.

I think this should not be fixed in minor release without any mention of a serious backwards compatibility break....

hai , this is test message

hello