php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15509 fifth argument in mail only supports one parameter and no spaces
Submitted: 2002-02-11 13:32 UTC Modified: 2002-08-17 20:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: andreia dot mahler at ipayx dot com Assigned:
Status: Closed Package: Mail related
PHP Version: 4.1.1 OS: Linux RedHat 7.1
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: andreia dot mahler at ipayx dot com
New email:
PHP Version: OS:

 

 [2002-02-11 13:32 UTC] andreia dot mahler at ipayx dot com
The behavior of the fifth parameter of the mail function
has changed from version 4.0.6 to version 4.1.1 - only one sendmail parameter seems to be allowed and no spaces can follow the flag for the parameter. Below are some lines of code showing displaying the problem!


in version 4.0.6 the following line worked:

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-N failure,success,
delay -f receipts@ipayx.com");

in version 4.1.1 I could only get:

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-Nfailure,success,
delay");

or

mail("andreia.mahler@ipayx.com", "test subject", "test body","Message-Id:
test-header", "-freceipts@ipayx.com");

Note that the spaces were not allowed after the flags (-N or -F) and only one argument alone worked.

Is this is 4.1.1 bug or will we be restricted to only one flag in the fifth field as the online manual says?

Thanks!

Andreia


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-02 18:26 UTC] mfischer@php.net
Do you have safe_mode enabled?
 [2002-06-10 10:30 UTC] andreia dot mahler at ipayx dot com
I don't have safe-mode enabled - in php.ini

;
; Safe Mode
;
safe_mode = Off

Thanks!

Andreia
 [2002-06-10 11:25 UTC] mfischer@php.net
The behaviour was changed for security reason, only one parameter can be passed, even when spaces are in the parameter.
 [2002-08-17 17:08 UTC] php at paul-roberts dot com
what are the security issues involved in passing multiple parameters.
 [2002-08-17 20:17 UTC] derick@php.net
mail ('foo','bar','derick@example.com','',';killall -9 httpd');

(of course this will only kill httpd's running as the httpd user)

Derick
 [2002-11-01 06:30 UTC] pgb at qbfox dot com
I think the security issue of the fifth parameter is a
red herring, as the parameter will rarely ("never") contain
anything not explicitly written by the programmer.  That
is, it will "never" contain arbitrary web page input.

I need to do "-odd -fadmin@shavashava.com", which, with the
current restriction, means that I have to write my own
mail() function, which shouldn't really be necessary for
something like this ("odd" sets deferred delivery, dumping
mail in the queue for the daemon to pick up later).

I have in fact made a (very clean) patch against PHP-4.2.3
ext/mail.c to allow multiple params, I'll be happy to pass
it on.

  -- Per
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Jun 15 10:01:23 2021 UTC