-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ilia Alshanetsky wrote: >> I'm thinking about this from an ISP point of view... we get a lot of >> abuse reports because people have poorly written form handlers. It >> would be great if we could have PHP insert the full URL, domain name >> included, in the mail headers for anything it sends. Would that be >> possible? > > That is way too much information to include into an e-mail header, this > would in fact be information disclosure vulnerability in many eyes. The > log file that you can enable provides you with the full path to the > script that called mail, which is more then enough to identify the > offending script and/or application.
In case someone would use a library installed on the server were the mail() call e.g. in /usr/lib/PEAR/lib/php/Mail/Transport/PHP_Mail.php (just an example) would this really help identifying the cause of the problem? No Domain, no URL, I think it would be hard to determine who used it. - - Markus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgSq71nS0RcInK9ARAsKzAJ4opZQlVwJD3YsKIiJeG+QanQBOgwCbBtcH uzEyiEawrJwz+b0JTmaz9wc= =PVjq -----END PGP SIGNATURE----- -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
