Plugin for header injection prevention

Swift Mailer is a fantastic library for sending email with php. Discuss this library or ask any questions about it here.

Moderators: Chris Corbyn, General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Plugin for header injection prevention

Post by alex.barylski »

I asked in the security forum the other day about header injections and it was brought to my attention that it's mostly in issue for SMTP.

I'm curious if Swift does anything to prevent exploits, or if it's possible to use a plugin?

Is this something that 'must' be handled by the client developer?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Plugin for header injection prevention

Post by Chris Corbyn »

It's not possible to perform header-injection with Swift unless you do it explicitly by using the addHeader() methods etc. Swift doesn't "strip" dangerous data... instead it encodes it into data that is usable. i.e. if somebody tries to inject a new line (\x0A) Swift Mailer will not add the new line character, instead it adds "=0A" which decodes back to a new line on the client side, without breaking the headers.

Lossless security :)
Post Reply