Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:97568
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97120 invoked from network); 7 Jan 2017 22:04:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Jan 2017 22:04:51 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:52198] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 41/00-31343-00661785 for <internals@lists.php.net>; Sat, 07 Jan 2017 17:04:51 -0500
Received: (qmail 104312 invoked by uid 89); 7 Jan 2017 21:58:03 -0000
Received: from unknown (HELO mail-wj0-f175.google.com) (yohgaki@ohgaki.net@209.85.210.175)
  by 0 with ESMTPA; 7 Jan 2017 21:58:03 -0000
Received: by mail-wj0-f175.google.com with SMTP id i20so50864608wjn.2
        for <internals@lists.php.net>; Sat, 07 Jan 2017 13:58:03 -0800 (PST)
X-Gm-Message-State: AIkVDXJfPAx13UdXIPlQxbmSnJTbUdfUMs2FTQZeEwNjNlwcvWI3wVa4QYPW1s6RScBPkcEp7wcdOU2YeGqt4A==
X-Received: by 10.194.36.68 with SMTP id o4mr3926822wjj.193.1483826276999;
 Sat, 07 Jan 2017 13:57:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.195.12.8 with HTTP; Sat, 7 Jan 2017 13:57:16 -0800 (PST)
Date: Sun, 8 Jan 2017 06:57:16 +0900
X-Gmail-Original-Message-ID: <CAGa2bXbgPpO4CfHyHrDDhbXsysk7HDsc17nQoGtWNv4zdaq5kA@mail.gmail.com>
Message-ID: <CAGa2bXbgPpO4CfHyHrDDhbXsysk7HDsc17nQoGtWNv4zdaq5kA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b6246f82630b50545883a9b
Subject: Improving mail() 5th parameter handling
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--047d7b6246f82630b50545883a9b
Content-Type: text/plain; charset=UTF-8

Hi all,

All of us knew details of PHPMailer and Swift Mailer issues with mail()'s
5th (additional_parameters) parameter by now, I suppose. Current behavior
(applying php_escape_shell_cmd to addtional_parameters) is not nice and
similar issue may raise with addtional_parameters in the future.

The issue could be mitigated by allowing array addtional_parameter. It's
basically the same as 4th (addtional_header) parameter change which is
committed by me.

 - Allow array additional_parameter and soft deprecate (document
deprecation) string one.
 - Use key as "option name" and validate chars
 - Use value as "option value" and validate some control chars then apply
escapeshellarg()

Since we cannot assume which shell to be used with sendmail command/how
sendmail command is invoked, this is not complete solution. (This includes
php.ini option setting, i.e. sendmail_path and mail.force_extra_parameters)
This is a mitigation, but it seems we are better to have this to protect
PHP systems.

Any comment for this change?
Or better, is anyone working on this?

Removing 5th option may be good idea also. The most severe BC impact would
be SMTP authentication. If users need SMTP authentication (or any other
options) with sendmail command, mail.force_extra_parameters/sendmail_path
ini setting may be used.

We cannot remove parameter suddenly. We may document deprecation now, raise
warning with 7.2, remove it by 7.3 or 8.0.

Are there comments for removing 5th option?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--047d7b6246f82630b50545883a9b--