ilia, ----- Original Message ----- From: "Ilia Alshanetsky" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "Paul G" <[EMAIL PROTECTED]> Sent: Sunday, May 30, 2004 2:07 PM Subject: Re: [PHP-DEV] [patch] abuse-proof zif_mail()
> First of all if you have people abusing the mail function one solution is to > disable it via the disable_functions directive inside your php.ini file. depending on the function in question, this may or may not be a viable option. we already have system() and all of its bretheren disabled and have not had any complaints from any legitimate users - those functions are not commonly used in software typical users want to run and the collateral from disabling them is negligible. when it comes to mail(), it is a whole different story. if i disabled mail() on just one box today, a *lot* of people would complain and with good reason - the collateral inflicted by something that drastic (ie disabling a very popular function to protect against a relative edge case) is way out of line. i am not an anti-spam fanatic, the clients' requirements come first. > If you must append headers then you could easily specify a path to a sendmail > using a configuration that would append any header that you like to outgoing > e-mails. are you saying i can have sendmail append an identifier that would tell me which script or user generated the email (given that it was invoked from mail() in mod_php)? if so, i (stupidly) missed it and would love to get it done that way rather than mucking with php's internals. > There are plenty of other solutions available. i would love to hear abut them. obviously, if there is a simpler solution, it is vastly preferable. closer inspection reveals that $PWD is the only thing i can get at from within sendmail and it is obviously user-supplied (most of my trophy captured scripts did their deed from cd /tmp). thanks for your input, much appreciated. paul -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
