MAIL HARDENING

mail.php

@@ -1,6 +1,17 @@
 <?php
 declare(strict_types=1);
 
+function mail_contains_header_injection(string $value): bool {
+  return strpbrk($value, "\r\n\0") !== false;
+}
+
+function mail_is_valid_email(string $value): bool {
+  if (mail_contains_header_injection($value)) {
+    return false;
+  }
+  return filter_var($value, FILTER_VALIDATE_EMAIL) !== false;
+}
+
 function send_mail(string $an, string $betreff, string $text, string $ok = '', string $error = ''): void {
   global $absender;
   $sender = 'noreply@troy-grunt.de';
@@ -12,6 +23,10 @@ function send_mail(string $an, string $betreff, string $text, string $ok = '', s
       $sender = $_sendermail;
     }
   }
+  if (!mail_is_valid_email($an) || !mail_is_valid_email($sender) || mail_contains_header_injection($betreff)) {
+    echo $error;
+    return;
+  }
   $header = 'From: ' . $sender . "\r\n";
   $header .= 'To: ' . $an . "\r\n";
   $header .= 'Content-Type:text/html' . "\r\n";
@@ -36,6 +51,10 @@ function send_html_mail(string $an, string $betreff, string $text, string $ok =
       $sender = $_sendermail;
     }
   }
+  if (!mail_is_valid_email($an) || !mail_is_valid_email($sender) || mail_contains_header_injection($betreff)) {
+    echo $error;
+    return;
+  }
   $boundary = md5($an.$betreff.$text.time());
 
   $header = 'From: ' . $sender . "\n";
@@ -65,6 +84,10 @@ function send_php_mail(string $an, string $betreff, string $text, string $ok = '
   if (isset ( $_sendermail )) {
     $sender = $_sendermail;
   }
+  if (!mail_is_valid_email($an) || !mail_is_valid_email($sender) || mail_contains_header_injection($betreff)) {
+    echo $error;
+    return;
+  }
   include 'php-mailer/PHPMailer.php';
   $mail = new PHPMailer();