PHP :: Bug #15509 :: fifth argument in mail only supports one parameter and no spaces

Bug #15509

fifth argument in mail only supports one parameter and no spaces

Submitted:

2002-02-11 13:32 UTC

Modified:

2002-08-17 20:17 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

andreia dot mahler at ipayx dot com

Assigned:

Status:

Closed

Package:

Mail related

PHP Version:

4.1.1

OS:

Linux RedHat 7.1

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	andreia dot mahler at ipayx dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-02-11 13:32 UTC] andreia dot mahler at ipayx dot com

The behavior of the fifth parameter of the mail function
has changed from version 4.0.6 to version 4.1.1 - only one sendmail parameter seems to be allowed and no spaces can follow the flag for the parameter. Below are some lines of code showing displaying the problem!


in version 4.0.6 the following line worked:

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-N failure,success,
delay -f receipts@ipayx.com");

in version 4.1.1 I could only get:

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-Nfailure,success,
delay");

or

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-freceipts@ipayx.com");

Note that the spaces were not allowed after the flags (-N or -F) and only one argument alone worked.

Is this is 4.1.1 bug or will we be restricted to only one flag in the fifth field as the online manual says?

Thanks!

Andreia

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-02 18:26 UTC] mfischer@php.net

Do you have safe_mode enabled?

[2002-06-10 10:30 UTC] andreia dot mahler at ipayx dot com

I don't have safe-mode enabled - in php.ini

;
; Safe Mode
;
safe_mode = Off

Thanks!

Andreia

[2002-06-10 11:25 UTC] mfischer@php.net

The behaviour was changed for security reason, only one parameter can be passed, even when spaces are in the parameter.

[2002-08-17 17:08 UTC] php at paul-roberts dot com

what are the security issues involved in passing multiple parameters.

[2002-08-17 20:17 UTC] derick@php.net

mail ('foo','bar','derick@example.com','',';killall -9 httpd');

(of course this will only kill httpd's running as the httpd user)

Derick

[2002-11-01 06:30 UTC] pgb at qbfox dot com

I think the security issue of the fifth parameter is a
red herring, as the parameter will rarely ("never") contain
anything not explicitly written by the programmer.  That
is, it will "never" contain arbitrary web page input.

I need to do "-odd -fadmin@shavashava.com", which, with the
current restriction, means that I have to write my own
mail() function, which shouldn't really be necessary for
something like this ("odd" sets deferred delivery, dumping
mail in the queue for the daemon to pick up later).

I have in fact made a (very clean) patch against PHP-4.2.3
ext/mail.c to allow multiple params, I'll be happy to pass
it on.

  -- Per

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 15:00:02 2025 UTC