php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20371 Wrong NEWS entry. This change should read 4.2.3 not 4.3.0.
Submitted: 2002-11-11 16:51 UTC Modified: 2002-11-13 12:29 UTC
From: alasdair at alivewww dot com Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 4.2.3 OS: FreeBSD
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: alasdair at alivewww dot com
New email:
PHP Version: OS:

 

 [2002-11-11 16:51 UTC] alasdair at alivewww dot com
The PHP Changelog for 4.2.3 does not mention the inclusion of a new directive in Safe Mode to restrict the 5th parameter in the mail() function.

Quoting somewhere:

"This fifth parameter was added in PHP 4.0.5. Since PHP 4.2.3 this parameter is disabled in safe_mode and the mail() function will expose a warning message and return FALSE if you're trying to use it."

There is no mention of this in the Change Log. For PHP, a very widly used piece of software, i find it totally insane that such a major change has been implemented in a minor release update. And not only that, for it to not even be mentioned on the change log!!

It would seem that the Change log is not a valid source of information - since it cannot even be trusted to include major changes. I would reccomend slapping whoever comitted this change.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-11-11 17:01 UTC] rasmus@php.net
It's right there in the NEWS file:

- Disabled the fifth parameter in mail() when safe-mode is turned on. (Derick)

And for that matter, it is also in the ChangeLog:

2002-07-02  Derick Rethans  <d.rethans@jdimedia.nl>

    * ext/standard/mail.c:
    - Be nice to users and allow them to check if the mail was send

    * ext/standard/mail.c: - Disable 5th parameter to mail in safemode
    - Disabled the fifth parameter to the mail function in safemode.

And yes, we will continue to fix security problems in minor releases.  This was a nasty security hole and needed to be fixed.
 [2002-11-11 17:06 UTC] alasdair at alivewww dot com
It is however not mentioned on:

http://www.php.net/ChangeLog-4.php

It is not mentioned on this change log that it is summarised/incomplete. While it may be mentioned elsewhere, this is more a complaint about the front page change log than anything else.
 [2002-11-12 19:18 UTC] philip@php.net
It's not listed in that changelog because that changelog updates depending on current stable PHP version.  It does not show 4.3.0 entries as the current stable version is 4.2.3

The question is when did this _really_ get committed?  It's in the 4.3.0 NEWS yet is currently documented as a 4.2.3 change.  I am assuming this is a documentation bug for now.
 [2002-11-12 22:03 UTC] alasdair at lumsden dot biz
In the source of 4.2.3 that I downloaded, the code has been changed to include this check in safe mode.

It is not in the 4.2.3 NEWS file in the source I downloaded, or on the 4.2.3 Change Log: http://www.php.net/ChangeLog-4.php

As I say, it has been comitted to the 4.2.3 source as far as I can see, the code is right here in mail.c:

if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
      php_error(E_WARNING, "%s(): SAFE MODE Restriction in effect.  The fifth parameter is disabled in SAFE MODE.", get_active_function_name(TSRMLS_C));
      RETURN_FALSE;
}

Am I to understand this has been documented as a 4.3.0 change?
 [2002-11-12 22:16 UTC] alasdair at alivewww dot com
Updated Summary to make it more relevant.
 [2002-11-13 00:30 UTC] philip@php.net
Okay, someone put this in the wrong NEWS.

  http://www.php.net/php4news

This is not a doc problem, reclassified so this will make it to php-dev not phpdoc.  Someone needs to edit NEWS.
 [2002-11-13 12:29 UTC] sniper@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


We can't really change 'history' but in 4.3.0, the entry will be in correct place. :)

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Jul 06 07:05:46 2022 UTC