php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16488 Additional MTA argument shell ESCAPING IS USELESS
Submitted: 2002-04-08 06:08 UTC Modified: 2002-04-08 10:32 UTC
From: spam4octan at highway dot ru Assigned:
Status: Closed Package: Mail related
PHP Version: 4.1.2 OS: LInux Red Hat
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: spam4octan at highway dot ru
New email:
PHP Version: OS:

 

 [2002-04-08 06:08 UTC] spam4octan at highway dot ru 
Dear PHP People!

ext/standard/mail.c(124):
  extra_cmd = php_escape_shell_arg(Z_STRVAL_PP(argv[4]));

I find shell escaping of the 5th argument of mail() useless, because IT PREVENTS ME FROM GIVING MORE THAN ONE OPTION TO MY MTA !

Sendmail `-fOther.Address@domain.org' is DEFINETELY NOT the only one use of the 5th argument! 

Consider `long' sendmail options:
-O DeliveryMode=q -O ErrorMode=q

This became
/usr/sbin/sendmail -i -t '-O DeliveryMode=q -O ErrorMode=q'

... and completely disabled my script functionality !

If I need shell escaping, I can do it myself!

Ask Yourself: why should PHP care about some (brain-damaged) coders who passess arbitrary strings to popen() without escaping?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-08 06:13 UTC] derick@php.net 
Yes

closing
 [2002-04-08 06:37 UTC] mfischer@php.net 
Re-Opening

There's a valid point to pass more then one argument.

Afaik Stefan brought this up on the dev list a few weeks ago, though I don't remember the consensus; maybe he can answer this.
 [2002-04-08 10:32 UTC] derick@php.net 
This function was originally without the shell escape thing. Please search the archive why they made me 'fix' it, all I can remember that it was a security thingy.

Derick
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 07:01:28 2024 UTC