On Sun, Jan 8, 2017 at 11:19 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all,
>
> On Sun, Jan 8, 2017 at 6:57 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
>
> > All of us knew details of PHPMailer and Swift Mailer issues with mail()'s
> > 5th (additional_parameters) parameter by now, I suppose. Current behavior
> > (applying php_escape_shell_cmd to addtional_parameters) is not nice and
> > similar issue may raise with addtional_parameters in the future.
> >
> > The issue could be mitigated by allowing array addtional_parameter. It's
> > basically the same as 4th (addtional_header) parameter change which is
> > committed by me.
> >
> > - Allow array additional_parameter and soft deprecate (document
> > deprecation) string one.
> > - Use key as "option name" and validate chars
> > - Use value as "option value" and validate some control chars then apply
> > escapeshellarg()
> >
> > Since we cannot assume which shell to be used with sendmail command/how
> > sendmail command is invoked, this is not complete solution. (This
> includes
> > php.ini option setting, i.e. sendmail_path and
> mail.force_extra_parameters)
> > This is a mitigation, but it seems we are better to have this to protect
> > PHP systems.
> >
> > Any comment for this change?
> > Or better, is anyone working on this?
> >
> > Removing 5th option may be good idea also. The most severe BC impact
> would
> > be SMTP authentication. If users need SMTP authentication (or any other
> > options) with sendmail command, mail.force_extra_parameters/
> sendmail_path
> > ini setting may be used.
> >
> > We cannot remove parameter suddenly. We may document deprecation now,
> > raise warning with 7.2, remove it by 7.3 or 8.0.
> >
> > Are there comments for removing 5th option?
> >
>
> If there isn't any preference, I would like to write RFC for removing
> 'addtional_parameters' option from mail()/mb_send_mail(). Command
> injections are still possible with INI settings. Users will notice risks by
> additional comments in php.ini-{production,development} and the manual
> when
> we remove 'addtional_parameters' option, hopefully.
>
> If anyone would like to keep mail()'s 'addtional_parameters' (5th) option,
> please let me know now.
>
Without this option, how do you specify the envelope sender? That seems to
be the primary use-case.
Nikita
