[ZendTo] Mail header bug on Ubuntu 22.04 / PHP 8.1

Mon Nov 14 08:57:55 GMT 2022

There is a current thread on the issue here:
https://github.com/php/php-src/issues/8086

The ugly cludge of dos2unix setting sendmail_path to
'/usr/bin/dos2unix -u|/usr/sbin/sendmail -t -i'

It does seem like the PHP devs are not seeing this as their issue.

Cheers
Mark

-----Original Message-----
From: ZendTo <zendto-bounces at zend.to> On Behalf Of Adam Thorn via ZendTo
Sent: 11 November 2022 18:07
To: ZendTo Users <zendto at zend.to>
Cc: Adam Thorn <alt36 at cam.ac.uk>
Subject: [ZendTo] Mail header bug on Ubuntu 22.04 / PHP 8.1

CAUTION: External email. Ensure this message is from a trusted source before clicking links/attachments.

I'm working on deploying ZendTo to a new Ubuntu 22.04 server. My current ZendTo instance is on Ubuntu 18.04: in both cases I'm using the stock Ubuntu-provided PHP packages, so am moving from PHP 7.4 to PHP 8.1. I'm also moving from ZendTo 5.17-6 to 6.13-2 but I don't think that change is too relevant, as the bug I've spotted is in code which is identical between those ZendTo versions.

The specific problem I've spotted is in NSSDropbox.php : there may be similar problems elsewhere. I don't use phpmailer so am looking at the code path through deliverEmail() which ends in a call to PHP's mail() function.

On the older PHP7.4 server, when I make a dropoff which in turn sends a mail, everything about the mail is fine, and when I view the mail headers in Thunderbird I see e.g.

From: ZendTo Service <no-reply at cam.ac.uk>
Reply-to: alt36 at cam.ac.uk
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

However, making a similar dropoff on PHP8.1 the equivalent header lines read...

From: ZendTo Service <no-reply at cam.ac.uk>
  Reply-to: alt36 at cam.ac.uk
  Content-Type: text/plain; charset=UTF-8; format=flowed
  Content-Transfer-Encoding: 8bit

i.e. there's an extra leading space on the lines after From: which are generated within deliverEmail(). This is invalid, and leads to my mail client displaying a mangled From: which is the concatenation of the above four lines, and with no Reply-To set (and presumably ignoring Content-Type etc as well)

I note the same code block would also generate the bcc: header lines if needed, so I suspect this bug would also lead to the bcc: recipients being ignored, but I haven't experimented there.

My minimal demo of the problem, and then also what I believe is the fix, is....

# begin demo, following the code used in deliverEmail()

$headers = '';

$to = 'alt36 at cam.ac.uk';
$sender = 'no-reply at example.com';

$subject = 'Test subject';
$content = 'This is a test email';

$fromAddr = 'sender at example.com';

$headers = sprintf("From: %s", $sender) . PHP_EOL .
sprintf("Reply-to: %s", $fromAddr) . PHP_EOL . $headers; $headers .= "MIME-Version: 1.0".PHP_EOL; $headers .= "Content-Type: text/plain; charset=UTF-8; format=flowed".PHP_EOL; $headers .= "Content-Transfer-Encoding: 8bit".PHP_EOL;

mail($to, $subject, $content, $headers);

# end demo

The problem is the use of PHP_EOL, which of course on my Ubuntu system is the LF character. However, the PHP docs
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.php.net%2Fmanual%2Fen%2Ffunction.mail.php&data=05%7C01%7Cm.v.sangster%40abdn.ac.uk%7Cf481c9547bf842ca68ff08dac40f9939%7C8c2b19ad5f9c49d490773ec3cfc52b3f%7C0%7C0%7C638037868523859206%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oz156zAl2%2BZEQZ6uzwoirGCcvzMZjqhRmfYHLY0vMnU%3D&reserved=0 state that the $headers need to be separated by CRLF. The use of CRLF is also specified e.g. in RFC 2822.

If I replace the PHP_EOL uses in my example above with literal "\r\n"
strings, the unwanted leading spaces in the headers of the sent mail disappear and my mail client displays everything as I'd expect.

Given the above, I speculate that there's been a change in the behaviour of mail() between the PHP versions but haven't gone searching through changelogs. I also haven't attempted to understand why the use of just PHP_EOL leads to those extra leading spaces appearing - that may just be an artefact of how my mail client ends up displaying a string with embedded LF characters when it's expecting CRLF, though. And, I've not looked more widely to see if there are other places in ZendTo with the same issue.

Regards,

Adam

_______________________________________________
ZendTo mailing list
ZendTo at zend.to
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjul.es%2Fmailman%2Flistinfo%2Fzendto&data=05%7C01%7Cm.v.sangster%40abdn.ac.uk%7Cf481c9547bf842ca68ff08dac40f9939%7C8c2b19ad5f9c49d490773ec3cfc52b3f%7C0%7C0%7C638037868523859206%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c4wqnsKQnAlH77pk1kDIv%2FVu78OdLiPKu8q3DpAeaF8%3D&reserved=0

The University of Aberdeen is a charity registered in Scotland, No SC013683.
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.