Possible Security Issue with FILTER_VALIDATE_EMAIL
July 19, 2008 PHP No CommentsJust a few days ago I recommended using filter_var() with the FILTER_VALIDATE_EMAIL argument as a convenient means of validating email address formats. However, Phill Pafford (ReliableSource.org) pointed out at WebDeveloper.com that there was a security bulletin suggesting a potential danger due to this validation allowing linefeeds in certain situations. I did a little testing, and sure enough, I found that if the email ends in a linefeed character, it still passes validation.
<?php
header('Content-Type: text/plain');
$email = 'foo@bar.com';
$len = strlen($email);
for($i = 0; $i <= $len; $i++)
{
$test = substr_replace($email, "\n", $i, 0);
$result = filter_var($test, FILTER_VALIDATE_EMAIL);
var_dump($result);
}?>
Which outputs: