Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97599 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90978 invoked from network); 8 Jan 2017 22:20:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Jan 2017 22:20:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:57294] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/AD-31343-D1BB2785 for ; Sun, 08 Jan 2017 17:20:15 -0500 Received: (qmail 73290 invoked by uid 89); 8 Jan 2017 22:20:10 -0000 Received: from unknown (HELO mail-wm0-f48.google.com) (yohgaki@ohgaki.net@74.125.82.48) by 0 with ESMTPA; 8 Jan 2017 22:20:10 -0000 Received: by mail-wm0-f48.google.com with SMTP id c85so81763213wmi.1 for ; Sun, 08 Jan 2017 14:20:09 -0800 (PST) X-Gm-Message-State: AIkVDXLhbH/3kPQDFbHzFBSqA1XrFzDzhE47q3IbC1/Dno/kAUt1eIXiG53Q3mCEOmABrMHP3iJQSVliVx/O9Q== X-Received: by 10.223.164.130 with SMTP id g2mr9246883wrb.84.1483914003164; Sun, 08 Jan 2017 14:20:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.195.12.8 with HTTP; Sun, 8 Jan 2017 14:19:22 -0800 (PST) In-Reply-To: References: Date: Mon, 9 Jan 2017 07:19:22 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=f403045f24e0093a5405459ca785 Subject: Re: Improving mail() 5th parameter handling From: yohgaki@ohgaki.net (Yasuo Ohgaki) --f403045f24e0093a5405459ca785 Content-Type: text/plain; charset=UTF-8 Hi all, On Sun, Jan 8, 2017 at 6:57 AM, Yasuo Ohgaki wrote: > All of us knew details of PHPMailer and Swift Mailer issues with mail()'s > 5th (additional_parameters) parameter by now, I suppose. Current behavior > (applying php_escape_shell_cmd to addtional_parameters) is not nice and > similar issue may raise with addtional_parameters in the future. > > The issue could be mitigated by allowing array addtional_parameter. It's > basically the same as 4th (addtional_header) parameter change which is > committed by me. > > - Allow array additional_parameter and soft deprecate (document > deprecation) string one. > - Use key as "option name" and validate chars > - Use value as "option value" and validate some control chars then apply > escapeshellarg() > > Since we cannot assume which shell to be used with sendmail command/how > sendmail command is invoked, this is not complete solution. (This includes > php.ini option setting, i.e. sendmail_path and mail.force_extra_parameters) > This is a mitigation, but it seems we are better to have this to protect > PHP systems. > > Any comment for this change? > Or better, is anyone working on this? > > Removing 5th option may be good idea also. The most severe BC impact would > be SMTP authentication. If users need SMTP authentication (or any other > options) with sendmail command, mail.force_extra_parameters/sendmail_path > ini setting may be used. > > We cannot remove parameter suddenly. We may document deprecation now, > raise warning with 7.2, remove it by 7.3 or 8.0. > > Are there comments for removing 5th option? > If there isn't any preference, I would like to write RFC for removing 'addtional_parameters' option from mail()/mb_send_mail(). Command injections are still possible with INI settings. Users will notice risks by additional comments in php.ini-{production,development} and the manual when we remove 'addtional_parameters' option, hopefully. If anyone would like to keep mail()'s 'addtional_parameters' (5th) option, please let me know now. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --f403045f24e0093a5405459ca785--