php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #61131 "HTTP-Posting-Client" etc are undocumented
Submitted: 2012-02-18 04:27 UTC Modified: 2012-02-18 06:27 UTC
From: php at richardneill dot org Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2012-02-18 04:27 UTC] php at richardneill dot org
Description:
------------
I've just been looking at the headers of some email sent out by my own system (using PHP's mail() function).

I note that the email contains headers including the following:

HTTP-Posting-Client: USERS_IP_ADDRESS
HTTP-Posting-URI: MY_WEBSITE:80/PATH/TO/FILE.php
HTTP-Posting-User-Agent: Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.5 (like Gecko) Mageia/4.6.5-1.3.mga1


I can't locate any documentation of where these headers get added, or how to configure them  (despite already searching the entire PHP documentation, and grepping the php.ini files)

I'm filing this first as a documentation "bug", though I really consider it as a significant security hole / information leak which could compromise the privacy of the sender.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-18 04:45 UTC] rasmus@php.net
They aren't documented because we don't add them. Your PHP is either patched 
locally to do this, something else is adding it, or you have userspace code doing 
it.

The only header PHP optionally adds (disabled by default) is X-PHP-Originating-
Script which is documented here:

http://www.php.net/manual/en/mail.configuration.php
 [2012-02-18 04:45 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2012-02-18 05:10 UTC] php at richardneill dot org
> They aren't documented because we don't add them. 
> Your PHP is either patched locally to do this, something else is adding it,
> or you have userspace code doing it.

Thanks for your explanation - this makes sense from PHP's perspective, but it's now really weird. Googling for these headers shows they are very widespread. I know there is no userspace code of mine doing this, and I don't think sendmail could be doing it (the MTA can't have knowledge of the HTTP user-agent).

I'm using the stock PHP build provided by Mageia.
 [2012-02-18 05:42 UTC] php at richardneill dot org
You're right - sorry for wasting your time - this is a patch in the most unlikely place. Mandriva (and thence Mageia) have patched the source, in file php-mail.diff; here are the relevant lines.


+		if (PG(http_globals)[TRACK_VARS_SERVER]) {
+			zval **remote_addr, **server_name, **server_port,
+				**script_name, **http_user_agent;
+			
+			if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &remote_addr)==SUCCESS) {
+				convert_to_string_ex(remote_addr);
+				fprintf(sendmail, "HTTP-Posting-Client: %s\n", Z_STRVAL_PP(remote_addr));
+			}
+			if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "SERVER_NAME", sizeof("SERVER_NAME"), (void **) &server_name)==SUCCESS) {
+				convert_to_string_ex(server_name);
+				fprintf(sendmail, "HTTP-Posting-URI: %s", Z_STRVAL_PP(server_name));
+				if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "SERVER_PORT", sizeof("SERVER_PORT"), (void **) &server_port)==SUCCESS) {
+					convert_to_string_ex(server_port);
+					fprintf(sendmail, ":%s", Z_STRVAL_PP(server_port));
+				}	
+				if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "SCRIPT_NAME", sizeof("SCRIPT_NAME"), (void **) &script_name)==SUCCESS) {
+					convert_to_string_ex(script_name);
+					fprintf(sendmail, "%s", Z_STRVAL_PP(script_name));
+				}
+				fprintf(sendmail, "\n");
+			}
+			if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &http_user_agent)==SUCCESS) {
+				convert_to_string_ex(http_user_agent);
+					fprintf(sendmail, "HTTP-Posting-User-Agent: %s\n", Z_STRVAL_PP(http_user_agent));
+			}
+		}


[I'll add a pointer to this bug report into the mail() user-docs, so that other people can at least find this more easily.]
 [2012-02-18 05:51 UTC] rasmus@php.net
And no way to turn it off. Not a very friendly patch.
 [2012-02-18 06:20 UTC] php at richardneill dot org
Crossref: I've filed this for Mageia. 
https://bugs.mageia.org/show_bug.cgi?id=4571

The specfile credits PLD for the original patch.
 [2012-02-18 06:27 UTC] rasmus@php.net
I saw you mentioned it should be implemented upstream. For spam-detection 
purposes, I don't think all those headers are all that useful. What you really 
want to know, as an ISP, is which script on your server is being used to send 
spam with. The IP and user-agent isn't all that useful and if you really want 
those, you can dig them out of your access logs since you know which script was 
hit. We already have that capability implemented via mail.add_x_header.
 [2012-02-18 07:06 UTC] php at richardneill dot org
I agree - this feature isn't very useful, even upstream.

I have found an ugly workaround: Postfix supports checking (and removing) headers. (There is probably a similar fix for all other MTAs)

1. Enable header-checks, in /etc/postfix/main.cf :
    header_checks = regexp:/etc/postfix/header_checks

2. Specify the headers to strip, in /etc/postfix/header_checks :

/^HTTP-Posting-Client:/      	IGNORE
/^HTTP-Posting-URI:/     	IGNORE
/^HTTP-Posting-User-Agent:/     IGNORE
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Feb 29 10:01:27 2020 UTC