Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26962 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4721 invoked by uid 1010); 14 Dec 2006 20:47:08 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 4706 invoked from network); 14 Dec 2006 20:47:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Dec 2006 20:47:08 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:3378] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F2/14-14414-608B1854 for ; Thu, 14 Dec 2006 15:46:33 -0500 Received: (qmail 72417 invoked by uid 98); 14 Dec 2006 20:45:59 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-1.25 (clamdscan: 0.88.4/2330. Clear:RC:1(127.0.0.1):. Processed in 0.108126 secs); 14 Dec 2006 20:45:59 -0000 X-Qmail-Scanner-Mail-From: ceo@l-i-e.com via o2.hostbaby.com X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 0.108126 secs) Received: from unknown (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 14 Dec 2006 20:45:58 -0000 Received: from 216.230.84.67 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Thu, 14 Dec 2006 14:45:58 -0600 (CST) Message-ID: <4571.216.230.84.67.1166129158.squirrel@www.l-i-e.com> In-Reply-To: <458189E0.4040700@developersdesk.com> References: <10536315-883E-4C1A-AF35-386DF4D73F84@prohost.org> <45807AC8.8020907@gmail.com> <515375DA-C752-4F5D-A244-3394C56846DA@prohost.org> <45808461.9070505@gmail.com> <98F4FCCE-94A0-448D-AA27-EABF7E82A7DB@prohost.org> <45812ABB.4060309@fischer.name> <45812FC2.3050500@gmail.com> <458189E0.4040700@developersdesk.com> Date: Thu, 14 Dec 2006 14:45:58 -0600 (CST) To: "Rick Widmer" Cc: "PHP internals" Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] mail() logging for PHP From: ceo@l-i-e.com ("Richard Lynch") On Thu, December 14, 2006 11:29 am, Rick Widmer wrote: >> Cracking point. Putting the domain in a header would make this far >> more >> useful, and I don't think that's too much info to include in a >> header. >> Ideally it would be the full URL, and I have to say that I don't >> think >> that's too much information for a mail header, and it's exactly what >> would be needed. > > I agree. The most useful information you can possibly put in the > header > is the full URL of the script that sent the message. So if it's a cronjob in a shell script, what do you get?... The full path to the script? Just askin', not trying to score points or anything. I suspect ISPs would LOVE to have this. I know my ISP had to write a perl script to search all his clients' source for calls to mail() and then patched their PHP scripts for them to shut down the huge surge of header-injections awhile back. He emailed us all and told us what he did, and I daresay most of his clients had no idea what he was talking about, but were happy to let him fix their scripts to help fight spam. If it defaults to "off" and the host turns it "on" and that opens up the security hole of exposing the inner workings of a site... This does need some consideration, I think, but I suspect 99.9% of installations would love this feature, and it wouldn't expose anything at all that isn't already exposed -- And most of the remaining 0.1% would be run by people who have half a clue and understand the implications of turning it on in the first place. Or are y'all thinking default it to "on" in future releases? -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?