Sat, 07 Apr 2007


The first Post Month of PHP Bugs vulnerability describes a vulnerability in PHP's new input filtering/validation extension. The FILTER_VALIDATE_EMAIL filter of ext/filter internally uses a wrong regular expression that allows injecting a newline character at the end of the email string.

Affected versions

Affected is PHP 5.2.0 and PHP 5.2.1

Detailed information

The filter extension internally uses the PCRE library for regular expressions. In the FILTER_VALIDATE_EMAIL filter the D modifier is not used. As long the D modifier is not used within a PCRE regular expression the meaning of the $ is not "end of subject" but "end of subject or nearly the end with a single newline at the end".

Proof of concept, exploit or instructions to reproduce

To test for this vulnerability just try the following piece of code.


  $var = "\n";

  var_dump(filter_var($var, FILTER_VALIDATE_EMAIL));


It should be obvious that the supplied email address should not be considered safe, because it contains a newline at the end which is especially dangerous when put into an email because of the possibility of email injections.


This vulnerability is also very common in most PHP applications that use preg_match() validation.

This vulnerability is also one of the reasons why we do not recommend using ext/filter for user input filtering/validation. Whenever there is a fault in the code the application might be open for attacks and only the admin of the server is able to fix this. This is especially bad in shared hosting environments.