Hi,
Sort of mailing this in as the result of the rantings of quite a few
mates of mine who look after shared hosting boxes.
Would it be acceptable to do up a patch for the mail() function which'll
listen to an ini entry[0] for a logfile to log all mail sent using this
function.
Basically, the reasoning boils down to when some naive user writes a
little bit of a bad script then somebody exploits that nasty script,
there's no way to tell which virtualhost has sent which mail and to whom.
The format I'm thinking of is:
[timestamp] [http_host] [script] [subject] [from]
If I could work out a way to do this as a pecl module, I'd be more than
happy to, but I can't see such a way - If anybody can point me in the
right direction here though, please shout.
I'm more than happy to draft up a patch for this rather than just
talking about it, and I do feel it's an important issue - not least in
order to kill a certain amount of the FUD that I hear about php on this
issue.
[0] I know, ini entries bad - but for this purpose, justified I feel.
I'd like to do two: mail_log = bool & mail_logfile = string.
Opinions? Good or bad? Should I go ahead with doing up a patch or not ?
Cheers.
--
Gareth Ardron
Gareth Ardron wrote:
Hi,
Sort of mailing this in as the result of the rantings of quite a few
mates of mine who look after shared hosting boxes.Would it be acceptable to do up a patch for the
mail()function which'll
listen to an ini entry[0] for a logfile to log all mail sent using this
function.
You can do this in "admin-space":
http://blog.phpdoc.info/archives/20-mail-replacement-a-better-hack.html
True, it doesn't prevent the user from ini_set()ing, but unless you're
blocking the socket functions, the user can get around this anyway.
S
Sean Coates wrote:
Gareth Ardron wrote:
Hi,
Sort of mailing this in as the result of the rantings of quite a few
mates of mine who look after shared hosting boxes.Would it be acceptable to do up a patch for the
mail()function which'll
listen to an ini entry[0] for a logfile to log all mail sent using this
function.You can do this in "admin-space":
http://blog.phpdoc.info/archives/20-mail-replacement-a-better-hack.htmlTrue, it doesn't prevent the user from
ini_set()ing, but unless you're
blocking the socket functions, the user can get around this anyway.
I do like that, and I agree that it works when people put a modicum of
thought into stuff - unfortunatly, most of the admins I know at least
just install, set up php.ini and leave it. This is the problem, the
admin's are as useless as the users they so readily poke fun at, but if
there's a nice easy way to get it working, so much the better.