I don't buy the security line you are trying to tuck onto
your non-silent termination patch. If you are concerned
about safe mode, fine, enable the patch for safe mode only.
Having a warning in the case that the shell execution failed
(it returns a non-zero error code, right?) makes sense, but
you are intentionally breaking configurations which work
flawlessly with older PHP versions.
- Sascha
On Fri, 10 Oct 2003, Ilia Alshanetsky wrote:
> Sascha,
>
> The purpose of the patch is to prevent silent termination of mail() when
> sendmail_path contains a non-existant path or a non-executable file. The
> backwards compatibility break was unintentional, however previous behavior
> may in fact be a security issue. Consider the following situation.
> I have sendmail_path set to "sendmail -t", inside my script I set PATH to ".",
> now by placing any executable file (sendmail) inside the current (or
> specified directory) I can execute it freely bypassing safe_mode,
> open_basedir and any other limitations. Same would be true is someone were to
> place a 'hostile' sendmail binary inside a directory who's PATH order
> precedes that of the real sendmail. It would allow the attacker to capture
> all text send by PHP via e-mail.
> As I understand part of the reason for making sendmail_path system INI
> directive was to allow the server admin & only the server admin to control
> this directive. By allowing incomplete paths we potentially allow user to act
> as an admin.
>
> Ilia
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
