mail() and mb_send_mail() Hardened Against Header Injections

Sending emails is a common task and, of course, PHP has had support for this for a long time. Not properly validating values used in custom headers – passed in via the optional parameter $additional_headers to the mail() and mb_send_mail() function – allows an attacker to take control over the sender and recipients fields as well as the very content of the email.

To protect against these injections, PHP 7.2 now parses the $additional_headers string and employs security filters and restrictions on the individual header fields. For security reasons – and because it would also be invalid according to the email RFCs – headers such as To or Subject can no longer be set via the $additional_headers parameter. As those fields are available via the first two explicit parameters of mail() or mb_send_mail(), this change should not pose a problem.

Starting with PHP 7.2, mail() and mb_send_mail() also accept an array as $additional_headers rather than only a string. We recommend to always supply additional headers as an array, one header field per array element.

Of course, the same security restrictions do apply regardless of whether arrays or strings are used.