Issues

ZF-8723: addBcc() and addCc() also add email addresses to the "To" header

Issue Type: Docs: Task Created: 2010-01-06T05:23:01.000+0000 Last Updated: 2012-08-03T08:10:42.000+0000 Status: Open Fix version(s): - Next Major Release ()

Reporter: Jan Olsen (janpolsen) Assignee: Dolf Schimmel (Freeaqingme) (freak) Tags: - Zend_Mail

Related issues: Attachments:

Description

I have the following simple code:

<pre class="highlight">
$mail = new Zend_Mail();
$mail->setBodyText('This is the text of the mail.');
$mail->setFrom('somebody@example.com', 'Some Sender');
$mail->addTo('jan.olsen@example.com');
$mail->addBcc('janpolsen@example.com'); //notice a different email address
$mail->setSubject('TestSubject');
$mail->send();

When I run this code, I will receive an email with BOTH jan.olsen@example.com and janpolsen@example.com in the TO field. That is very very very unfortunate, because it will expose email addresses when it shouldn't :(.

The same happens if I use addCc().

As I see it, then the only possible way to send mails to people using BCC is by tricking addHeader() to accept "Bcc".

Back in 2007 "mike55" wrote about this issue (http://mail-archive.com/fw-general@lists.zend.com/…), but it seems that the problem is still there.

PS: This is only tested on ZF v1.9.3PL1, but I can't see any fixes/changes regarding this in the changelogs from v1.9.3 through v1.9.6.

Comments

Posted by Mickael Perraud (mikaelkael) on 2010-01-06T05:30:41.000+0000

Sendmail Transport and Windows?

If yes => "As the PHP manual states the mail() function has different behaviour on Windows and on *nix based systems. Using the Sendmail Transport on Windows will not work in combination with addBcc(). The mail() function will sent to the BCC recipient such that all the other recipients can see him as recipient!

Therefore if you want to use BCC on a windows server, use the SMTP transport for sending!"

Extract of the new documentation for ZF 1.10

Posted by Jan Olsen (janpolsen) on 2010-01-06T05:42:46.000+0000

Thanks for the super fast response :)

Windows... check Sendmail Transport... check (it's the default which I can read is Zend_Mail_Transport_Sendmail

So it's a PHP "bug"?

How come I can add: $mail->addHeader("Bcc: janpolsen@example.com\r\n", null); ... which will work without exposing the email address?

I will try to see if I can change the Transport method.

Posted by Jan Olsen (janpolsen) on 2010-01-06T06:05:52.000+0000

It does indeed seem to work if I use:

<pre class="highlight">
$tr1 = new Zend_Mail_Transport_Smtp('exchange.example.com');

$mail = new Zend_Mail();
...
$mail->send($tr1);

I do however find it a bit weird, when I can use the addHeader()-trick.

Posted by Dolf Schimmel (Freeaqingme) (freak) on 2010-01-06T06:08:21.000+0000

In that case someone else will have to resolve this issue, since I only have linux and can't test on windows.

Posted by Satoru Yoshida (satoruyoshida) on 2010-06-09T00:22:11.000+0000

Sorry, I have been inactive since last April.

Posted by Dolf Schimmel (Freeaqingme) (freak) on 2010-07-16T14:53:49.000+0000

If it doesn't work it is not supported. You're probably best off reporting this bug to the php bugtracker if there isn't a bugreport already. I'm postponing this issue so that if Zend\Mail (zf2) doesn't support it either (which I'm not expecting), we can test it again and add a nice disclaimer in the documentation.

Thank you for taking the time to report this issue.

Posted by Dolf Schimmel (Freeaqingme) (freak) on 2010-07-17T07:13:41.000+0000

Leaving this issue open to make sure it gets documented with zf2

Posted by Martin Keckeis (thadafinser) on 2011-02-07T06:14:37.000+0000

I've got the same problem here.

The problem is here (Zend/Mail/Transport/Sendmail.php):

<pre class="highlight">
$result = mail(
    $this->recipients, //contain all addresses from to, cc and bcc (should only contain "to")
    $this->_mail->getSubject(),
    $this->body,
    $this->header //contain all headers with cc, bcc (and not to -> like it should be)
);

The "to" can also be empty, if only using "bcc"

My patchfor now:

<pre class="highlight">
     public function _sendMail()
     {
         if ($this->parameters === null) {
+           
+           $recipients = $this->_mail->getHeaders();       
+           if(isset($recipients['To']))
+               $toMail = $this->recipients['To'];
+           else
+               $toMail = '';
+           
             set_error_handler(array($this, '_handleMailErrors'));
             $result = mail(
-                $this->recipients,
+                $toMail,
                 $this->_mail->getSubject(),
                 $this->body,
                 $this->header);

Posted by Tobias Weber (tobias654) on 2012-08-03T08:10:42.000+0000

The code above my post doesn't work for me. So this is my patch. Please correct the original ZF.

<pre class="highlight">
    public function _sendMail()
    {
        if ($this->parameters === null) {
            $headers = $this->_mail->getHeaders();
            if (isset($headers['To'])) {
                unset($headers['To']['append']);
                $this->recipients = implode(',', $headers['To']);
            } else {
                $this->recipients = '';
            }
            set_error_handler(array($this, '_handleMailErrors'));
            $result = mail(
                $this->recipients,
                $this->_mail->getSubject(),
                $this->body,
                $this->header);
            restore_error_handler();

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts