引用/转义邮件正文中的变量 [英] Quoting/Escaping variables in mail body
问题描述
我有点尴尬,因为我用PHP生成了一个邮件正文而没有转义变量.在HTML中,我正在使用htmlspecialchars()或类似函数,将它们用于命令行scapeshellarg(),但用于邮件?例如这样的东西:
I am feeling a bit awkward, because I am generating a mail-body with PHP without escaping the variables. In HTML I am using htmlspecialchars() or similar functions, for command lines escapeshellarg(), but for mails? For example something like this:
<?php
$usercontent = $_GET['usercontent'];
mail("dummy@nowhere.tld", "My Subject", "My body with $usercontent included");
?>
一个可能的攻击者如何使用上面的脚本,我该如何防范这种攻击?还是PHP mail()保存,为什么?
What could a possible attacker do with a script like the one above and how could I protect against such an attack? Or is PHP mail() save and why?
更新
请参考示例:
- 仅身体受到影响(无标题!)
- 内容类型为文本/纯文本
- 一些答案的证明会很好
- MTA是带有"/usr/sbin/sendmail -t -i"的后缀sendmail
推荐答案
基本电子邮件正文是纯文本.如果要使用其他类型的内容(例如HTML或多部分邮件),则需要使用MIME扩展名,并使用 Content-Type 相应地指定类型(例如,对于HTML而言,text/html或对于多部分而言,multipart/…消息).
The basic e-mail message body is plain text. If you want a different type like HTML or a multipart message, you need to use the MIME extension and specify the type accordingly using Content-Type (e.g. text/html for HTML or multipart/… for a multipart message).
因此,从安全角度来看,没有办法注入任何有害的东西(至少不是按照规范).即使缺少使用的字符编码声明,即使是非ASCII字符也应正确处理.
So from the security perspective, there is no way to inject anything harmful (at least not as per specification). Even non-ASCII characters should be handled correctly despite the lacking declaration of the used character encoding.
但是,电子邮件客户端中仍然可能存在一些漏洞,可以通过这种方式加以利用.但我对此表示怀疑.
However, there still may be some flaws in e-mail clients which can be exploited this way. But I doubt that.
这篇关于引用/转义邮件正文中的变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
