php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55336 mail() function is not thread safe for Windows builds
Submitted: 2011-08-01 11:50 UTC Modified: 2011-08-30 20:50 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (100.0%)
From: grabli_2005 at mail dot ru Assigned: pajoye
Status: Assigned Package: Network related
PHP Version: 5.4.0alpha2 OS: Windows
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-08-01 11:50 UTC] grabli_2005 at mail dot ru
Description:
------------
win32\sendmail.c contans static variables and not thread safe.

Test script:
---------------
It`s not so easy to write test script, because of multithreading and needs of test SMTP server.

Expected result:
----------------
mail() funtion should be thread safe.
I`ve found this bug years ago. I`ve re-write sendmail.c to not use global variables for php 5.3.0.
Also I make it compilable for nix build, so mail() may not start heavy sendmail process and connect directly to local SMTP.
You can get this versions here http://lion.rusfur.net/mail_patch.rar


Actual result:
--------------
mail() fountion is not thread safe.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-01 12:02 UTC] grabli_2005 at mail dot ru
-Summary: mail() fountion is not thread safe for Windows builds +Summary: mail() function is not thread safe for Windows builds
 [2011-08-01 12:02 UTC] grabli_2005 at mail dot ru
fixed typo in title
 [2011-08-01 12:55 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2011-08-01 12:55 UTC] pajoye@php.net
Please provide a patch against 5.3 and 5.4.

Also I'm not sure about your statement.
 [2011-08-01 13:40 UTC] grabli_2005 at mail dot ru
I`ve provide this patches as reference only, not as product quality code replacement.
The only difference that I note since 5.3.0 is FormatEmailAddress function, that omits <> around emails.

You can check my statment:
look at /ext/standard/mail.c function php_mail
Here nix path: 	sendmail = popen(sendmail_cmd, "w");
Here win32 path: if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, hdr, subject, to, message, NULL, NULL, NULL TSRMLS_CC) == FAILURE) {

TSendMail located in win32\sendmail.c
here global variables:

#ifndef THREAD_SAFE
char Buffer[MAIL_BUFFER_SIZE];

/* socket related data */
SOCKET sc;
#ifndef NETWARE
WSADATA Data;
struct hostent *adr;
int WinsockStarted;
/* values set by the constructor */
char *AppName;
#endif	/* NETWARE */
SOCKADDR_IN sock_in;
char MailHost[HOST_NAME_LEN];
char LocalHost[HOST_NAME_LEN];
#endif

It`s placed under #ifndef THREAD_SAFE, but THREAD_SAFE not defined anywhere even when compile with ZTS. More often _THREAD_SAFE used around the code.
If you define THREAD_SAFE it`s break sendmail.c compilation, because rest of code uses this variables without any define switch.

You can simply debug or place debug printf() in TSendMail and see that this code executed and uses global variables.

win32\time.c have same issue.
 [2011-08-03 18:20 UTC] grabli_2005 at mail dot ru
-Status: Feedback +Status: Open
 [2011-08-03 18:20 UTC] grabli_2005 at mail dot ru
switch status to open, see details in previous comment
 [2011-08-22 14:51 UTC] kalle@php.net
Have you encountered any issues specific to this finding? I suppose we could make a new globals, like PW32G for SendMail and stash the variables in there.
 [2011-08-28 20:16 UTC] grabli_2005 at mail dot ru
Yep, I`ve got buffer corruption and socket leak under threading.
There no need of TSRM code, socket handle and buffer can be allocated on stack, it`s not so big (4kb).
 [2011-08-28 21:29 UTC] pajoye@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: pajoye
 [2011-08-28 21:29 UTC] pajoye@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Would rock if you can provide one.
 [2011-08-30 20:50 UTC] grabli_2005 at mail dot ru
-Status: Feedback +Status: Assigned
 [2011-08-30 20:50 UTC] grabli_2005 at mail dot ru
Link you provide is for crash-point backtrace. Read cearfully - it`s not crashed, it`s not thread safe.
Problem function - win32\sendmail.c->TSendMail (with subfunctions) which uses global variables without any locking.
Also I can`t change status back to "Open", only avalable options for now is assigned and closed.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC