Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:32304 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40332 invoked by uid 1010); 12 Sep 2007 22:45:37 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 40317 invoked from network); 12 Sep 2007 22:45:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Sep 2007 22:45:37 -0000 Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1 Received: from [63.205.162.114] ([63.205.162.114:57770] helo=us-ex1.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 79/2C-11738-01C68E64 for ; Wed, 12 Sep 2007 18:45:37 -0400 Received: from [127.0.0.1] ([192.168.16.180]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 12 Sep 2007 15:45:34 -0700 Message-ID: <46E86C0A.5020402@zend.com> Date: Wed, 12 Sep 2007 15:45:30 -0700 Organization: Zend Technologies User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: 'PHP Internals' Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 12 Sep 2007 22:45:34.0501 (UTC) FILETIME=[A1612D50:01C7F58E] Subject: mail.force_extra_parameters From: stas@zend.com (Stanislav Malyshev) Would anyone object to disallowing setting mail.force_extra_parameters from .htaccess? The problem is that mail.force_extra_parameters can pass arbitrary arguments to mail tool, and some mail tools (especially one, guess which ;) have a lot of parameters, that allow, in particular, reading and writing arbitrary files - which may be a problem with safe_mode (yes, I know, but we are still in 5.x) and open_basedir. I understand that mail.force_extra_parameters was meant for sysadmins anyway, so disallowing .htaccess to change it seems ok. Objections? -- Stanislav Malyshev, Zend Software Architect stas@zend.com http://www.zend.com/ (408)253-8829 MSN: stas@zend.com