|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #61131 "HTTP-Posting-Client" etc are undocumented
Submitted: 2012-02-18 04:27 UTC Modified: 2012-02-18 06:27 UTC
From: php at richardneill dot org Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: php at richardneill dot org
New email:
PHP Version: OS:


 [2012-02-18 04:27 UTC] php at richardneill dot org
I've just been looking at the headers of some email sent out by my own system (using PHP's mail() function).

I note that the email contains headers including the following:

HTTP-Posting-User-Agent: Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.5 (like Gecko) Mageia/4.6.5-1.3.mga1

I can't locate any documentation of where these headers get added, or how to configure them  (despite already searching the entire PHP documentation, and grepping the php.ini files)

I'm filing this first as a documentation "bug", though I really consider it as a significant security hole / information leak which could compromise the privacy of the sender.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-18 04:45 UTC]
They aren't documented because we don't add them. Your PHP is either patched 
locally to do this, something else is adding it, or you have userspace code doing 

The only header PHP optionally adds (disabled by default) is X-PHP-Originating-
Script which is documented here:
 [2012-02-18 04:45 UTC]
-Status: Open +Status: Not a bug
 [2012-02-18 05:10 UTC] php at richardneill dot org
> They aren't documented because we don't add them. 
> Your PHP is either patched locally to do this, something else is adding it,
> or you have userspace code doing it.

Thanks for your explanation - this makes sense from PHP's perspective, but it's now really weird. Googling for these headers shows they are very widespread. I know there is no userspace code of mine doing this, and I don't think sendmail could be doing it (the MTA can't have knowledge of the HTTP user-agent).

I'm using the stock PHP build provided by Mageia.
 [2012-02-18 05:42 UTC] php at richardneill dot org
You're right - sorry for wasting your time - this is a patch in the most unlikely place. Mandriva (and thence Mageia) have patched the source, in file php-mail.diff; here are the relevant lines.

+		if (PG(http_globals)[TRACK_VARS_SERVER]) {
+			zval **remote_addr, **server_name, **server_port,
+				**script_name, **http_user_agent;
+			if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->, "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &remote_addr)==SUCCESS) {
+				convert_to_string_ex(remote_addr);
+				fprintf(sendmail, "HTTP-Posting-Client: %s\n", Z_STRVAL_PP(remote_addr));
+			}
+			if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->, "SERVER_NAME", sizeof("SERVER_NAME"), (void **) &server_name)==SUCCESS) {
+				convert_to_string_ex(server_name);
+				fprintf(sendmail, "HTTP-Posting-URI: %s", Z_STRVAL_PP(server_name));
+				if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->, "SERVER_PORT", sizeof("SERVER_PORT"), (void **) &server_port)==SUCCESS) {
+					convert_to_string_ex(server_port);
+					fprintf(sendmail, ":%s", Z_STRVAL_PP(server_port));
+				}	
+				if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->, "SCRIPT_NAME", sizeof("SCRIPT_NAME"), (void **) &script_name)==SUCCESS) {
+					convert_to_string_ex(script_name);
+					fprintf(sendmail, "%s", Z_STRVAL_PP(script_name));
+				}
+				fprintf(sendmail, "\n");
+			}
+			if (zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &http_user_agent)==SUCCESS) {
+				convert_to_string_ex(http_user_agent);
+					fprintf(sendmail, "HTTP-Posting-User-Agent: %s\n", Z_STRVAL_PP(http_user_agent));
+			}
+		}

[I'll add a pointer to this bug report into the mail() user-docs, so that other people can at least find this more easily.]
 [2012-02-18 05:51 UTC]
And no way to turn it off. Not a very friendly patch.
 [2012-02-18 06:20 UTC] php at richardneill dot org
Crossref: I've filed this for Mageia.

The specfile credits PLD for the original patch.
 [2012-02-18 06:27 UTC]
I saw you mentioned it should be implemented upstream. For spam-detection 
purposes, I don't think all those headers are all that useful. What you really 
want to know, as an ISP, is which script on your server is being used to send 
spam with. The IP and user-agent isn't all that useful and if you really want 
those, you can dig them out of your access logs since you know which script was 
hit. We already have that capability implemented via mail.add_x_header.
 [2012-02-18 07:06 UTC] php at richardneill dot org
I agree - this feature isn't very useful, even upstream.

I have found an ugly workaround: Postfix supports checking (and removing) headers. (There is probably a similar fix for all other MTAs)

1. Enable header-checks, in /etc/postfix/ :
    header_checks = regexp:/etc/postfix/header_checks

2. Specify the headers to strip, in /etc/postfix/header_checks :

/^HTTP-Posting-Client:/      	IGNORE
/^HTTP-Posting-URI:/     	IGNORE
/^HTTP-Posting-User-Agent:/     IGNORE
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Jun 21 17:01:23 2021 UTC