php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15509 fifth argument in mail only supports one parameter and no spaces
Submitted: 2002-02-11 13:32 UTC Modified: 2002-08-17 20:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: andreia dot mahler at ipayx dot com Assigned:
Status: Closed Package: Mail related
PHP Version: 4.1.1 OS: Linux RedHat 7.1
Private report: No CVE-ID: None
 [2002-02-11 13:32 UTC] andreia dot mahler at ipayx dot com
The behavior of the fifth parameter of the mail function
has changed from version 4.0.6 to version 4.1.1 - only one sendmail parameter seems to be allowed and no spaces can follow the flag for the parameter. Below are some lines of code showing displaying the problem!


in version 4.0.6 the following line worked:

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-N failure,success,
delay -f receipts@ipayx.com");

in version 4.1.1 I could only get:

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-Nfailure,success,
delay");

or

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-freceipts@ipayx.com");

Note that the spaces were not allowed after the flags (-N or -F) and only one argument alone worked.

Is this is 4.1.1 bug or will we be restricted to only one flag in the fifth field as the online manual says?

Thanks!

Andreia


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-02 18:26 UTC] mfischer@php.net
Do you have safe_mode enabled?
 [2002-06-10 10:30 UTC] andreia dot mahler at ipayx dot com
I don't have safe-mode enabled - in php.ini

;
; Safe Mode
;
safe_mode = Off

Thanks!

Andreia
 [2002-06-10 11:25 UTC] mfischer@php.net
The behaviour was changed for security reason, only one parameter can be passed, even when spaces are in the parameter.
 [2002-08-17 17:08 UTC] php at paul-roberts dot com
what are the security issues involved in passing multiple parameters.
 [2002-08-17 20:17 UTC] derick@php.net
mail ('foo','bar','derick@example.com','',';killall -9 httpd');

(of course this will only kill httpd's running as the httpd user)

Derick
 [2002-11-01 06:30 UTC] pgb at qbfox dot com
I think the security issue of the fifth parameter is a
red herring, as the parameter will rarely ("never") contain
anything not explicitly written by the programmer.  That
is, it will "never" contain arbitrary web page input.

I need to do "-odd -fadmin@shavashava.com", which, with the
current restriction, means that I have to write my own
mail() function, which shouldn't really be necessary for
something like this ("odd" sets deferred delivery, dumping
mail in the queue for the daemon to pick up later).

I have in fact made a (very clean) patch against PHP-4.2.3
ext/mail.c to allow multiple params, I'll be happy to pass
it on.

  -- Per
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 12:01:27 2024 UTC