I’ve just been reading about email injection and was curious about this. From what I can tell you need to approach the headers and the body differently. Some headers might look like this:
to: john.smith@domain.com
subject: Email Enquiry from John Smith
from: John Smith <john.smith@domain.com>
First and foremost if looks like you need to remove line returns to prevent header injection. For example if John Smith in the subject header was taken from user input as is they could inject new headers. Is that the gist of it?
So if you do something like (in PHP):
$subject = str_ireplace(array("\r", "\n", "%0a", "%0d"), "", $subject) would that prevent header injection or do you need to search for to:, bcc:, cc: as well? I.e. once a header is declared on a line can it be redeclared later on (on the same line)? If not, then there’s no need to search for to:, bcc: and cc:
For the body, the only real injection I can see if if they add a Content-Type: header as it overrides the previous one. So in this case I’m assuming something like $body = str_ireplace("Content-Type:", "Content type", $body) would do it. Not ideal as it changes the content of the email. Is there a better way?
I appreciate there are classes out there that do all this but I’m interested in how it works.
P.S. Just thought, if you’re using a random boundary presumably you don’t need to worry too much about the body. Other than, I guess, let’s say you’re doing an auto-reponse form and it says:
$body = "Dear $formName,
Thanks for you email
...";
They could add as their name:
http://www.spam-link.com/1/
http://www.spam-link.com/2/
http://www.spam-link.com/3/
Essentially using your form to send spam using your mail server.