Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26942
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.225 as permitted sender)
DomainKey-Status: good
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender;
        b=ecrw64T/txMcuVKuvaEEwexj7O3NR7OBKMI8lCP0n4zLndPGwyLm/CNxPHz5b9dxL1+MJ5lQoTmy+eXuicmJJ6/rQX4sVGN8owq/11yVeGHyYrpX+L5gFeKT6dXpzng67z12sWy+wWCIPgikpJaoqqJEbFYazkher9QFPHPcaDw=
In-Reply-To: <45807AC8.8020907@gmail.com>
References: <10536315-883E-4C1A-AF35-386DF4D73F84@prohost.org> <45807AC8.8020907@gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <515375DA-C752-4F5D-A244-3394C56846DA@prohost.org>
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: 7bit
Date: Wed, 13 Dec 2006 17:48:38 -0500
To: Stut <stuttle@gmail.com>
Sender: Ilia Alshanetsky <iliaal@gmail.com>
Subject: Re: [PHP-DEV] mail() logging for PHP
From: ilia@prohost.org (Ilia Alshanetsky)


On 13-Dec-06, at 5:12 PM, Stut wrote:

> Ilia Alshanetsky wrote:
>> Is there any interest in adding support for logging of mail()  
>> calls and/or adding options that allow identification of who sent  
>> the e-mail.
>> I've wrote a quick patch that enables this functionality via two  
>> ini settings controllable via php.ini or per-virtual host.
>> The first option, mail.add_x_header (boolean) allows you to enable  
>> the addition of the X-PHP-Originating-Script header to each mail  
>> sent by mail(), which will include the uid of the script and its  
>> name. The combination of the two should be sufficient to identify  
>> the user to whom the script belongs and via a simple find command  
>> locate the actual script. This option is intended primarily for  
>> instances where you have a bounced e-mail or a forwarded mail with  
>> a spam complaint, allowing you to quickly identify the offender.
>> The second option, mail.log (takes a filename) allows you to  
>> enable logging of every single mail() call, each log line will  
>> include the fullpath of the file and the line where the mail() was  
>> called from in addition to the "To" address and any headers (to  
>> keep track of CC, BCC) that were part of the function call. To  
>> ensure that each log line is 1 line long, \r and \n are replaced  
>> with spaces.
>> The patch that makes this possible can be found here:
>> http://ilia.ws/uploads/patches/mail_log.txt.gz
>
> Yes, yes, yes, a thousand times yes. I'm assuming the filename is  
> the full path and filename? Couldn't that be considered a security  
> risk?

Only in the log file, for the header only the filename is included,  
so there is no security risk here.

> IMHO it would be better to have an option that would provide the  
> domain name and the filename relative to the site root (if available).
>
> Also, I'm assuming this is configurable via php_flag in an Apache  
> configuration file?

It can be controlled via httpd.conf but not via .htaccess.

Ilia Alshanetsky