Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:97844
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66732 invoked from network); 18 Jan 2017 00:21:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jan 2017 00:21:25 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:37816] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A9/91-00729-305BE785 for <internals@lists.php.net>; Tue, 17 Jan 2017 19:21:24 -0500
Received: (qmail 10025 invoked by uid 89); 18 Jan 2017 00:21:19 -0000
Received: from unknown (HELO mail-wm0-f54.google.com) (yohgaki@ohgaki.net@74.125.82.54)
  by 0 with ESMTPA; 18 Jan 2017 00:21:19 -0000
Received: by mail-wm0-f54.google.com with SMTP id r126so224119322wmr.0
        for <internals@lists.php.net>; Tue, 17 Jan 2017 16:21:19 -0800 (PST)
X-Gm-Message-State: AIkVDXJC0AI7W+fwZDgq1l/Trj7ntPZ4qd8TnQrRQ6/dhNZEVdH9ikJ8rv/vGadFKVwCV8CUnBe42M66e+HoAw==
X-Received: by 10.223.160.114 with SMTP id l47mr238128wrl.73.1484698872573;
 Tue, 17 Jan 2017 16:21:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.195.12.8 with HTTP; Tue, 17 Jan 2017 16:20:31 -0800 (PST)
In-Reply-To: <f00ee950-02dd-c58c-390c-d878d3854579@gmail.com>
References: <CAGa2bXbgPpO4CfHyHrDDhbXsysk7HDsc17nQoGtWNv4zdaq5kA@mail.gmail.com>
 <ebcef7b0-da49-91f5-6ddc-1597b04b3bcd@gmail.com> <CAGa2bXYdbu9m=pXXizzZTaBa_2SQV30Mcmh9VLQuFgKANbyx_A@mail.gmail.com>
 <f00ee950-02dd-c58c-390c-d878d3854579@gmail.com>
Date: Wed, 18 Jan 2017 09:20:31 +0900
X-Gmail-Original-Message-ID: <CAGa2bXY4u2hP3TiOK756+on0vgLxGFAAgu42m7=bLfT-0pshRQ@mail.gmail.com>
Message-ID: <CAGa2bXY4u2hP3TiOK756+on0vgLxGFAAgu42m7=bLfT-0pshRQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c184686e5fe4e05465364de
Subject: Re: [PHP-DEV] Improving mail() 5th parameter handling
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--94eb2c184686e5fe4e05465364de
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Wed, Jan 18, 2017 at 1:26 AM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

>
> > I cannot reseach all kinds of sendmail binaries. If there are exotic
> > sendmail binaries,
> > I would like to know the reference for them. Thank you.
>
> I don't think it is a good idea to specialize for specific binaries.


This is what I thought, too.

"sendmail" binary should be compatible with "sendmail", but there may be
binaries aren't compatible sendmail style options. Stricter validation
provides
better security while there is compatibility risk.

We cannot specify sendmail binary nor shell, i.e. cannot make sure how it
works
and there is chance for security and compatibility risk. I prefer stricter
validation
for better security.

However, it could be somewhere between.

 - Allow only alpha numeric + '-' + '_'   + '/' (Only under Windows) for
option names

What do you think?

If anyone know more chars should be allowed, please comment.
e.g. XYZ sendmail requires "sendmail -f='sender'" style.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--94eb2c184686e5fe4e05465364de--