#20244 [NEW]: Multiple cmdline args for mail()'s fifth parameter

Mon, 04 Nov 2002 04:28:30 -0800 

From:             [EMAIL PROTECTED]
Operating system: Linux, RedHat 7.3
PHP version:      4.2.3
PHP Bug Type:     Feature/Change Request
Bug description:  Multiple cmdline args for mail()'s fifth parameter

(Please see closed bug 15509.)

I'd like to make a feature request for mail(), whereby
multiple commandline arguments can be passed on to the
underlying MTA.  The easiest is to simply allow an
arbitrary string, with whitespace, as the fifth argument
to mail(), passing it on more or less as is (quoting of
individual arguments is fine).

I think the security issue of the fifth parameter is a
red herring, as the parameter will rarely ("never") contain
anything not explicitly written by the programmer.  That
is, it will "never" contain arbitrary web page input.

I need to do "-odd [EMAIL PROTECTED]", which, with the
current restriction, means that I have to write my own
mail() function, which shouldn't really be necessary for
something like this ("odd" sets deferred delivery, dumping
mail in the queue for the daemon to pick up later).

I have in fact made a (very clean) patch against PHP-4.2.3
ext/standard/mail.c to allow multiple params, adding
quotes, so that if somebody were to pass a parameter of

"; killall -9 httpd"

it comes out as

"';' 'killall' '-9' 'httpd'"

Surely, this must be safe enough, in particular
considering where the contents for the fifth parameter
would normally come from (PHP coder, not web site user).

Cheers.

  -- Per
-- 
Edit bug report at http://bugs.php.net/?id=20244&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=20244&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=20244&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=20244&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=20244&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=20244&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=20244&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=20244&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=20244&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=20244&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=20244&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20244&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=20244&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=20244&r=isapi

Reply via email to