PHP :: Request #20244 :: Multiple cmdline args for mail()'s fifth parameter

Request #20244	Multiple cmdline args for mail()'s fifth parameter
Submitted:	2002-11-04 06:26 UTC	Modified:	2003-02-26 14:12 UTC
From:	pgb at qbfox dot com	Assigned:
Status:	Closed	Package:	Feature/Change Request
PHP Version:	4.2.3	OS:	Linux, RedHat 7.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pgb at qbfox dot com
New email:
PHP Version:		OS:

New Comment:

[2002-11-04 06:26 UTC] pgb at qbfox dot com

(Please see closed bug 15509.)

I'd like to make a feature request for mail(), whereby
multiple commandline arguments can be passed on to the
underlying MTA.  The easiest is to simply allow an
arbitrary string, with whitespace, as the fifth argument
to mail(), passing it on more or less as is (quoting of
individual arguments is fine).

I think the security issue of the fifth parameter is a
red herring, as the parameter will rarely ("never") contain
anything not explicitly written by the programmer.  That
is, it will "never" contain arbitrary web page input.

I need to do "-odd -fadmin@shavashava.com", which, with the
current restriction, means that I have to write my own
mail() function, which shouldn't really be necessary for
something like this ("odd" sets deferred delivery, dumping
mail in the queue for the daemon to pick up later).

I have in fact made a (very clean) patch against PHP-4.2.3
ext/standard/mail.c to allow multiple params, adding
quotes, so that if somebody were to pass a parameter of

"; killall -9 httpd"

it comes out as

"';' 'killall' '-9' 'httpd'"

Surely, this must be safe enough, in particular
considering where the contents for the fifth parameter
would normally come from (PHP coder, not web site user).

Cheers.

  -- Per

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-02-26 14:12 UTC] derick@php.net

From PHP 5 you can force the extra parameters in safemode with the ini setting "mail_force_extra_parameters", see also:
http://news.php.net/article.php?group=php.cvs&article=19210


Derick

[2003-02-26 14:12 UTC] derick@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Oct 17 21:01:27 2024 UTC