[ZendTo] Mail header bug on Ubuntu 22.04 / PHP 8.1

Adam Thorn alt36 at cam.ac.uk
Fri Nov 11 18:07:14 GMT 2022 

I'm working on deploying ZendTo to a new Ubuntu 22.04 server. My current 
ZendTo instance is on Ubuntu 18.04: in both cases I'm using the stock 
Ubuntu-provided PHP packages, so am moving from PHP 7.4 to PHP 8.1. I'm 
also moving from ZendTo 5.17-6 to 6.13-2 but I don't think that change 
is too relevant, as the bug I've spotted is in code which is identical 
between those ZendTo versions.

The specific problem I've spotted is in NSSDropbox.php : there may be 
similar problems elsewhere. I don't use phpmailer so am looking at the 
code path through deliverEmail() which ends in a call to PHP's mail() 
function.

On the older PHP7.4 server, when I make a dropoff which in turn sends a 
mail, everything about the mail is fine, and when I view the mail 
headers in Thunderbird I see e.g.

From: ZendTo Service <no-reply at cam.ac.uk>
Reply-to: alt36 at cam.ac.uk
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

However, making a similar dropoff on PHP8.1 the equivalent header lines 
read...

From: ZendTo Service <no-reply at cam.ac.uk>
  Reply-to: alt36 at cam.ac.uk
  Content-Type: text/plain; charset=UTF-8; format=flowed
  Content-Transfer-Encoding: 8bit

i.e. there's an extra leading space on the lines after From: which are 
generated within deliverEmail(). This is invalid, and leads to my mail 
client displaying a mangled From: which is the concatenation of the 
above four lines, and with no Reply-To set (and presumably ignoring 
Content-Type etc as well)

I note the same code block would also generate the bcc: header lines if 
needed, so I suspect this bug would also lead to the bcc: recipients 
being ignored, but I haven't experimented there.

My minimal demo of the problem, and then also what I believe is the fix, 
is....

# begin demo, following the code used in deliverEmail()

$headers = '';

$to = 'alt36 at cam.ac.uk';
$sender = 'no-reply at example.com';

$subject = 'Test subject';
$content = 'This is a test email';

$fromAddr = 'sender at example.com';

$headers = sprintf("From: %s", $sender) . PHP_EOL .
sprintf("Reply-to: %s", $fromAddr) . PHP_EOL . $headers;
$headers .= "MIME-Version: 1.0".PHP_EOL;
$headers .= "Content-Type: text/plain; charset=UTF-8; 
format=flowed".PHP_EOL;
$headers .= "Content-Transfer-Encoding: 8bit".PHP_EOL;

mail($to, $subject, $content, $headers);

# end demo

The problem is the use of PHP_EOL, which of course on my Ubuntu system 
is the LF character. However, the PHP docs 
https://www.php.net/manual/en/function.mail.php state that the $headers 
need to be separated by CRLF. The use of CRLF is also specified e.g. in 
RFC 2822.

If I replace the PHP_EOL uses in my example above with literal "\r\n" 
strings, the unwanted leading spaces in the headers of the sent mail 
disappear and my mail client displays everything as I'd expect.

Given the above, I speculate that there's been a change in the behaviour 
of mail() between the PHP versions but haven't gone searching through 
changelogs. I also haven't attempted to understand why the use of just 
PHP_EOL leads to those extra leading spaces appearing - that may just be 
an artefact of how my mail client ends up displaying a string with 
embedded LF characters when it's expecting CRLF, though. And, I've not 
looked more widely to see if there are other places in ZendTo with the 
same issue.

Regards,

Adam

More information about the ZendTo mailing list