Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:10192 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61267 invoked by uid 1010); 30 May 2004 18:32:51 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 61087 invoked from network); 30 May 2004 18:32:50 -0000 Received: from unknown (HELO utopia.rusko.us) (207.44.144.89) by pb1.pair.com with SMTP; 30 May 2004 18:32:50 -0000 Received: from rusko (ool-44c09d03.dyn.optonline.net [68.192.157.3]) by utopia.rusko.us (Sendmail) with SMTP id 711A7BBB96; Sun, 30 May 2004 14:37:21 -0400 (EDT) Message-ID: <02d801c44674$1a3d4470$0200a8c0@rusko> To: , References: <024e01c4464c$f8dbf500$0200a8c0@rusko> <200405301333.34754.ilia@prohost.org> <02c001c4466f$6aa3cb50$0200a8c0@rusko> <200405301407.19977.ilia@prohost.org> Date: Sun, 30 May 2004 14:29:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: Re: [PHP-DEV] [patch] abuse-proof zif_mail() From: paul@rusko.us ("Paul G") ilia, ----- Original Message ----- From: "Ilia Alshanetsky" To: ; "Paul G" Sent: Sunday, May 30, 2004 2:07 PM Subject: Re: [PHP-DEV] [patch] abuse-proof zif_mail() > First of all if you have people abusing the mail function one solution is to > disable it via the disable_functions directive inside your php.ini file. depending on the function in question, this may or may not be a viable option. we already have system() and all of its bretheren disabled and have not had any complaints from any legitimate users - those functions are not commonly used in software typical users want to run and the collateral from disabling them is negligible. when it comes to mail(), it is a whole different story. if i disabled mail() on just one box today, a *lot* of people would complain and with good reason - the collateral inflicted by something that drastic (ie disabling a very popular function to protect against a relative edge case) is way out of line. i am not an anti-spam fanatic, the clients' requirements come first. > If you must append headers then you could easily specify a path to a sendmail > using a configuration that would append any header that you like to outgoing > e-mails. are you saying i can have sendmail append an identifier that would tell me which script or user generated the email (given that it was invoked from mail() in mod_php)? if so, i (stupidly) missed it and would love to get it done that way rather than mucking with php's internals. > There are plenty of other solutions available. i would love to hear abut them. obviously, if there is a simpler solution, it is vastly preferable. closer inspection reveals that $PWD is the only thing i can get at from within sendmail and it is obviously user-supplied (most of my trophy captured scripts did their deed from cd /tmp). thanks for your input, much appreciated. paul