From b8d1b6ccb5d67874d8637a273f73fd9ae1138f16 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Fri, 6 Feb 2015 22:43:16 +0100
Subject: fixed newline detection for suhosin.mail.protect

---
 Changelog |  1 +
 execute.c | 25 ++++++++++++++-----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/Changelog b/Changelog
index 98472a1..a6b7e3a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,7 @@
 2015-xx-xx - 0.9.38-dev
     - removed code compatibility for PHP <5.4 (lots of code + ifdefs)
     - allow https location for suhosin.filter.action
+    - fixed newline detection for suhosin.mail.protect
 
 2014-12-12 - 0.9.37.1
     - Changed version string to 0.9.37.1 (without -dev)
diff --git a/execute.c b/execute.c
index bc7dc59..d2fdaba 100644
--- a/execute.c
+++ b/execute.c
@@ -751,7 +751,10 @@ int ih_mail(IH_HANDLER_PARAMS)
 		return (1);
 	}
 
-	if (headers_len > 0 && headers && (strstr(headers,"\n\n") || strstr(headers,"\r\n\r\n")) ) {
+	if (headers_len > 0 && headers &&
+		(strstr(headers, "\n\n") || strstr(headers, "\n\r\n") /* double newline */
+			|| *headers == '\n' || (headers[0] == '\r' && headers[1] == '\n') /* starts with newline */
+	)) {
 		suhosin_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped");
 		if (!SUHOSIN_G(simulation)) {
 			RETVAL_FALSE;
@@ -762,14 +765,14 @@ int ih_mail(IH_HANDLER_PARAMS)
 	/* check for spam attempts with buggy webforms */
 	if (to_len > 0 && to) {
 		do {
-			tmp = strchr(to, '\n');
-			tmp = tmp == NULL ? strchr(to, '\r') : tmp;
+			if ((tmp = strchr(to, '\n')) == NULL)
+				tmp = strchr(to, '\r');
 			if (tmp == NULL) break;
-			to = tmp+1;
-			if (isspace(*to)) continue;
+			to = tmp + 1;
+			if (!isspace(*to)) break;
 		} while (1);
 		if (tmp != NULL) {
-			suhosin_log(S_MAIL, "mail() - newline in to header, possible injection, mail dropped");
+			suhosin_log(S_MAIL, "mail() - newline in To header, possible injection, mail dropped");
 			if (!SUHOSIN_G(simulation)) {
 				RETVAL_FALSE;
 				return (1);
@@ -779,14 +782,14 @@ int ih_mail(IH_HANDLER_PARAMS)
 
 	if (subject_len > 0 && subject) {
 		do {
-			tmp = strchr(subject, '\n');
-			tmp = tmp == NULL ? strchr(subject, '\r') : tmp;
+			if ((tmp = strchr(subject, '\n')) == NULL)
+				tmp = strchr(subject, '\r');
 			if (tmp == NULL) break;
-			subject = tmp+1;
-			if (isspace(*subject)) continue;
+			subject = tmp + 1;
+			if (!isspace(*subject)) break;
 		} while (1);
 		if (tmp != NULL) {
-			suhosin_log(S_MAIL, "mail() - newline in subject header, possible injection, mail dropped");
+			suhosin_log(S_MAIL, "mail() - newline in Subject header, possible injection, mail dropped");
 			if (!SUHOSIN_G(simulation)) {
 				RETVAL_FALSE;
 				return (1);
-- 
cgit v1.3