ID: 20244 Updated by: [EMAIL PROTECTED] Reported By: pgb at qbfox dot com Status: Open Bug Type: Feature/Change Request Operating System: Linux, RedHat 7.3 PHP Version: 4.2.3 New Comment:
>From PHP 5 you can force the extra parameters in safemode with the ini setting "mail_force_extra_parameters", see also: http://news.php.net/article.php?group=php.cvs&article=19210 Derick Previous Comments: ------------------------------------------------------------------------ [2002-11-04 06:26:42] pgb at qbfox dot com (Please see closed bug 15509.) I'd like to make a feature request for mail(), whereby multiple commandline arguments can be passed on to the underlying MTA. The easiest is to simply allow an arbitrary string, with whitespace, as the fifth argument to mail(), passing it on more or less as is (quoting of individual arguments is fine). I think the security issue of the fifth parameter is a red herring, as the parameter will rarely ("never") contain anything not explicitly written by the programmer. That is, it will "never" contain arbitrary web page input. I need to do "-odd [EMAIL PROTECTED]", which, with the current restriction, means that I have to write my own mail() function, which shouldn't really be necessary for something like this ("odd" sets deferred delivery, dumping mail in the queue for the daemon to pick up later). I have in fact made a (very clean) patch against PHP-4.2.3 ext/standard/mail.c to allow multiple params, adding quotes, so that if somebody were to pass a parameter of "; killall -9 httpd" it comes out as "';' 'killall' '-9' 'httpd'" Surely, this must be safe enough, in particular considering where the contents for the fifth parameter would normally come from (PHP coder, not web site user). Cheers. -- Per ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=20244&edit=1