473,698 Members | 1,875 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

preg_match to detect \r\n - doesn't work

I am trying to implement email injection protection by looking for \r
and/or \n in the name, subject, or email address fields from my contact form

The first script, contact_us.php, contains a form with text fields for
name, subject, and emailaddr (the sender's email address) The message
(body of the email) is a textarea.

I post the form to send_the_email_ contact.php where I have the following
test:

if(preg_match(' `[\r\n]`',$_POST['subject']))
{
exit ('injection attempt ');
}

To test this, when I fill in the form, I type "This is the subject\r\n"
in the subject field.

When I click on submit and enter send_the_email_ contact.php it does not
catch the \r\n. I have checked and preg_match returns a 0.

Why doesn't this test work?

----------------------------------

To make it even simpler, I have created a test script with this (inside
an html body):

<form id=form1 method=POST action="<?= $_SERVER['PHP_SELF'] ?>">
<input type=text name=subject value=<?= stripslashes($_ POST['subject']) ?>>
<input type=submit name=send value="Send Mail">
</form>

<?
if ($_POST['send'] == 'Send Mail')
{
echo "subject = {$_POST['subject']}<br>";
echo "subject_ma tch = " . preg_match("/[\r\n]/", $_POST['subject']);
}
?>

If I enter "subject\r\ n" in the text field and click "Send Mail" the
output is:

subject = subject\\r\\n
subject_match = 0

...... I don't get it?! Shouldn't that be a match?

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************
Jan 12 '07 #1
7 19453
Rik
Chuck Anderson wrote:
If I enter "subject\r\ n" in the text field and click "Send Mail" the
output is:

subject = subject\\r\\n
subject_match = 0

..... I don't get it?! Shouldn't that be a match?
The string '\r\n' != "\r\n"....
--
Rik Wasmus
Jan 12 '07 #2
Rik wrote:
Chuck Anderson wrote:
>If I enter "subject\r\ n" in the text field and click "Send Mail" the
output is:

subject = subject\\r\\n
subject_matc h = 0

..... I don't get it?! Shouldn't that be a match?

The string '\r\n' != "\r\n"....
Okay, ... ... but I don't follow you. How does that apply?

Isn't that how someone would inject extra headers - by entering
\r\nbcc:.... (for instance)?

How do I detect that?

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************
Jan 12 '07 #3
Rik
Chuck Anderson wrote:
Rik wrote:
>Chuck Anderson wrote:
>>If I enter "subject\r\ n" in the text field and click "Send Mail" the
output is:

subject = subject\\r\\n
subject_mat ch = 0

..... I don't get it?! Shouldn't that be a match?

The string '\r\n' != "\r\n"....

Okay, ... ... but I don't follow you. How does that apply?

Isn't that how someone would inject extra headers - by entering
\r\nbcc:.... (for instance)?

How do I detect that?
They are not typing \r\n in that case. The \r and \n are a carriage
return/line feed characters. You probably cannot test this in your form, as
in a normal text input you cannot enter these characters (in a textarea you
can BTW). They can send POST data to your server without using the form
though, which is how they're able to send this newline characters.

To test this, you can either go through a lot of trouble trying to post
this to your script, but I'd go for the easy approach, make a string with a
newline in it and test this directly:

$string = "foo\r\nbar ";
//or
$string = 'foo
bar';

And then check wether this string passes or not. It's not worth your effort
to mimique an evil post :-)
--
Rik Wasmus
Jan 12 '07 #4
Rik wrote:
Chuck Anderson wrote:
>Rik wrote:
>>Chuck Anderson wrote:
If I enter "subject\r\ n" in the text field and click "Send Mail" the
output is:

subject = subject\\r\\n
subject_matc h = 0

..... I don't get it?! Shouldn't that be a match?
The string '\r\n' != "\r\n"....

Okay, ... ... but I don't follow you. How does that apply?

Isn't that how someone would inject extra headers - by entering
\r\nbcc:.... (for instance)?

How do I detect that?

They are not typing \r\n in that case. The \r and \n are a carriage
return/line feed characters. You probably cannot test this in your form, as
in a normal text input you cannot enter these characters (in a textarea you
can BTW). They can send POST data to your server without using the form
though, which is how they're able to send this newline characters.

To test this, you can either go through a lot of trouble trying to post
this to your script, but I'd go for the easy approach, make a string with a
newline in it and test this directly:

$string = "foo\r\nbar ";
//or
$string = 'foo
bar';

And then check wether this string passes or not. It's not worth your effort
to mimique an evil post :-)
Okay, thanks. I get it now. What baffled me was just that. If I tested
by using:
$subject = "This is the Subject\r\n";
Then preg_match('`[\r\n]`',$_POST['subject']) matched. If it was POSTed
from a text field in a form it would not.

The host I'm with actually uses Apache mod_security to disallow the
string cc: to appear in *any* POST variable. But I want to make sure my
scripts are secure regardless of that. (I also think that's a bit of
annoying overkill.)

Thanks for shedding some light on that \r\n thing for me.

(I'm going to start another thread, but what got me going on this is
that someone has started using my contact form to send spam to me - and
me alone. I am tracking the usage of my script closely and I can see
that they are not even trying to use it as an open emailer. But still,
..... it's a bit annoying.)

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************
Jan 12 '07 #5
Chuck Anderson wrote:
<snip>
I post the form to send_the_email_ contact.php where I have the following
test:

if(preg_match(' `[\r\n]`',$_POST['subject']))
{
exit ('injection attempt ');

}
<snip>

You don't necessarily have to stop processing when validating mail
headers. You can easily strip out any CRLFs

<?php
$safeHeader = str_replace(arr ay("\r","\n"), '', $_POST['subject']);
// strips out \r and \n, leaving the rest intact
?>

Curtis

Jan 13 '07 #6
Rik
Curtis wrote:
Chuck Anderson wrote:
<snip>
>I post the form to send_the_email_ contact.php where I have the
following test:

if(preg_match( '`[\r\n]`',$_POST['subject']))
{
exit ('injection attempt ');

}
<snip>

You don't necessarily have to stop processing when validating mail
headers. You can easily strip out any CRLFs
You don't HAVE to. However, when something that will end up in a header
contains a CRLF when it shouldn't, I'd opt for not sending the mail at all.
It shouldn't be possible, so either there's something wrong with my code or
someone has sent faulty and potentially harmfull information. Either way,
the mail should not be sent.
--
Rik Wasmus
Jan 13 '07 #7
True enough, I guess if anyone's using your script and sending CRLFs,
they probably don't have any intention of sending anything of value,
lol.

Anyway, in case anyone wants to check for CRLF without regex, it's not
too hard:

<?php
if ( strpos($header, "\r") !== false || strpos($header, "\n") !==
false ) {
// mail header injection attempt
}
?>

On Jan 13, 5:56 am, "Rik" <luiheidsgoe... @hotmail.comwro te:
Curtis wrote:
Chuck Anderson wrote:
<snip>
I post the form to send_the_email_ contact.php where I have the
following test:
if(preg_match(' `[\r\n]`',$_POST['subject']))
{
exit ('injection attempt ');
}
<snip>
You don't necessarily have to stop processing when validating mail
headers. You can easily strip out any CRLFsYou don't HAVE to. However, when something that will end up in a header
contains a CRLF when it shouldn't, I'd opt for not sending the mail at all.
It shouldn't be possible, so either there's something wrong with my code or
someone has sent faulty and potentially harmfull information. Either way,
the mail should not be sent.
--
Rik Wasmus
Jan 14 '07 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

10
8166
by: aaron | last post by:
I need some help with validating an email address. Right now, I am doing this: function sys_is_valid_email ($s) { if (preg_match ("/^.+@.+\..+$/", $s)) { return 1; } else { return 0; } }
6
4549
by: Einar ?rn | last post by:
Hi all, is there a good way to detect recursive C code in large systems? A method or a free tool? Best regards, E
2
1829
by: splodge | last post by:
I have a simple regular expression: {1,5}x{1,5} Which is designed to detect the width and height of an image from a string, as in: foo 100x100 bar However, when I run this with preg_match I get an unknown modifier
6
10236
by: mantrid | last post by:
Hello Found this piece of code using preg_match to check file types during upload of files. $allowed_file_types = "(jpg|jpeg|gif|bmp|png)"; preg_match("/\." . $allowed_file_types . "$/i", $_FILES) I understand the basic preg_match but am confused as to how the string pattern part is working i.e. "/\." . $allowed_file_types . "$/i"
4
1918
by: cainwebdesign | last post by:
I need to create a simple page to find the .gif file below from the page below. No matter what I try it doesn't work.... Any ideas? http://www.toysrus.com/product/index.jsp?productId=2327085 prod_AddtoCart.gif
3
3368
by: fienen | last post by:
I am working on a script to handle a search query. In some instances, the query could come through as "isbn:%20#############" (where %20 is an encoded space and the colon is optional). Basically I want to strip off the ISBN portion and leave just the numbers if that is the case. Orignally I was trying $value = $_GET; if (preg_match("isbn:?%20", $value)) {
3
3019
by: Sam Waller | last post by:
I need a regular expression for preg_match to find all of the strings between '>' and '<' from html. Eg. 1. <TD><FONT SIZE='2'>XXX</FONT></TD> 2. <TD><FONT SIZE='2'><A HREF=http://www.whatever.com/...7>ZZZ</A></FONT></TD> 3. <TD ALIGN=CENTER><FONT SIZE='2'>Y/Y</FONT></TD> #1 matches should be "", "XXX", and "" #2 should be "", "", "ZZZ", "", "" #3 should be "", "Y/Y", ""
3
1741
by: Henri | last post by:
Hello, I am trying to split a string that contains parentheses; the aim here is to keep the part that's before the opening parenthese: the string (quoted here) is "36 (72 cm)" First I want to know if the string contains at least an openning parenthese; if it does, I split it and extract the first token (ie "36 "). My code follows
13
5366
by: chadsspameateremail | last post by:
I might have found a problem with how preg_match works though I'm not sure. Lets say you have a regular expression that you want to match a string of numbers. You might write the code like this: preg_match( '/^+$/', $TestString ); OK everything seems fine. However, did you know if you pass the following to preg_match: "12345\n" it will return that a match occurred?!? Even though the newline is not a valid character in our regular...
0
8598
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9152
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9014
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
6515
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4358
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4612
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3037
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2320
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
1995
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.