On 9/12/07, Stanislav Malyshev <[EMAIL PROTECTED]> wrote: > Would anyone object to disallowing setting mail.force_extra_parameters > from .htaccess? The problem is that mail.force_extra_parameters can pass > arbitrary arguments to mail tool, and some mail tools (especially one, > guess which ;) have a lot of parameters, that allow, in particular, > reading and writing arbitrary files - which may be a problem with > safe_mode (yes, I know, but we are still in 5.x) and open_basedir. > I understand that mail.force_extra_parameters was meant for sysadmins > anyway, so disallowing .htaccess to change it seems ok. Objections? > --
You definitely got a +10000 from me for the exact same reasons, it's for sysadmins and if you have that in your .htaccess I believe this is a problem. > Stanislav Malyshev, Zend Software Architect > [EMAIL PROTECTED] http://www.zend.com/ > (408)253-8829 MSN: [EMAIL PROTECTED] > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- David Coallier, Founder & Software Architect, Agora Production (http://agoraproduction.com) 51.42.06.70.18 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
