ZF-8723: addBcc() and addCc() also add email addresses to the "To" header

Description

I have the following simple code:


$mail = new Zend_Mail();}}
$mail->setBodyText('This is the text of the mail.');
$mail->setFrom('somebody@example.com', 'Some Sender');
$mail->addTo('jan.olsen@example.com');
$mail->addBcc('janpolsen@example.com'); //notice a different email address
$mail->setSubject('TestSubject');
$mail->send();

When I run this code, I will receive an email with BOTH {{jan.olsen@example.com}} and {{janpolsen@example.com}} in the TO field. That is very very very unfortunate, because it will expose email addresses when it shouldn't :(.

The same happens if I use {{addCc()}}.

As I see it, then the only possible way to send mails to people using BCC is by tricking {{addHeader()}} to accept "Bcc".

Back in 2007 "mike55" wrote about this issue (http://mail-archive.com/fw-general@lists.zend.com/…), but it seems that the problem is still there.

PS: This is only tested on ZF v1.9.3PL1, but I can't see any fixes/changes regarding this in the changelogs from v1.9.3 through v1.9.6.

Comments

Sendmail Transport and Windows?

If yes => "As the PHP manual states the mail() function has different behaviour on Windows and on *nix based systems. Using the Sendmail Transport on Windows will not work in combination with addBcc(). The mail() function will sent to the BCC recipient such that all the other recipients can see him as recipient!

Therefore if you want to use BCC on a windows server, use the SMTP transport for sending!"

Extract of the new documentation for ZF 1.10

Thanks for the super fast response :)

Windows... check Sendmail Transport... check (it's the default which I can read is {{Zend_Mail_Transport_Sendmail}}

So it's a PHP "bug"?

How come I can add: {{$mail->addHeader("Bcc: janpolsen@example.com\r\n", null);}} ... which will work without exposing the email address?

I will try to see if I can change the Transport method.

It does indeed seem to work if I use:


$tr1 = new Zend_Mail_Transport_Smtp('exchange.example.com');

$mail = new Zend_Mail();
...
$mail->send($tr1);

I do however find it a bit weird, when I can use the {{addHeader()}}-trick.

In that case someone else will have to resolve this issue, since I only have linux and can't test on windows.

Sorry, I have been inactive since last April.

If it doesn't work it is not supported. You're probably best off reporting this bug to the php bugtracker if there isn't a bugreport already. I'm postponing this issue so that if Zend\Mail (zf2) doesn't support it either (which I'm not expecting), we can test it again and add a nice disclaimer in the documentation.

Thank you for taking the time to report this issue.

Leaving this issue open to make sure it gets documented with zf2

I've got the same problem here.

The problem is here (Zend/Mail/Transport/Sendmail.php):


$result = mail(
    $this->recipients, //contain all addresses from to, cc and bcc (should only contain "to")
    $this->_mail->getSubject(),
    $this->body,
    $this->header //contain all headers with cc, bcc (and not to -> like it should be)
);

The "to" can also be empty, if only using "bcc"

My patchfor now:


     public function _sendMail()
     {
         if ($this->parameters === null) {
+           
+           $recipients = $this->_mail->getHeaders();       
+           if(isset($recipients['To']))
+               $toMail = $this->recipients['To'];
+           else
+               $toMail = '';
+           
             set_error_handler(array($this, '_handleMailErrors'));
             $result = mail(
-                $this->recipients,
+                $toMail,
                 $this->_mail->getSubject(),
                 $this->body,
                 $this->header);

The code above my post doesn't work for me. So this is my patch. Please correct the original ZF.


    public function _sendMail()
    {
        if ($this->parameters === null) {
            $headers = $this->_mail->getHeaders();
            if (isset($headers['To'])) {
                unset($headers['To']['append']);
                $this->recipients = implode(',', $headers['To']);
            } else {
                $this->recipients = '';
            }
            set_error_handler(array($this, '_handleMailErrors'));
            $result = mail(
                $this->recipients,
                $this->_mail->getSubject(),
                $this->body,
                $this->header);
            restore_error_handler();