mail.force_extra_parameters

17 years ago by Stanislav Malyshev — view source

unread

Would anyone object to disallowing setting mail.force_extra_parameters
from .htaccess? The problem is that mail.force_extra_parameters can pass
arbitrary arguments to mail tool, and some mail tools (especially one,
guess which ;) have a lot of parameters, that allow, in particular,
reading and writing arbitrary files - which may be a problem with
safe_mode (yes, I know, but we are still in 5.x) and open_basedir.
I understand that mail.force_extra_parameters was meant for sysadmins
anyway, so disallowing .htaccess to change it seems ok. Objections?

Stanislav Malyshev, Zend Software Architect
stas@zend.com http://www.zend.com/
(408)253-8829 MSN: stas@zend.com

17 years ago by David Coallier — view source

unread

Would anyone object to disallowing setting mail.force_extra_parameters
from .htaccess? The problem is that mail.force_extra_parameters can pass
arbitrary arguments to mail tool, and some mail tools (especially one,
guess which ;) have a lot of parameters, that allow, in particular,
reading and writing arbitrary files - which may be a problem with
safe_mode (yes, I know, but we are still in 5.x) and open_basedir.
I understand that mail.force_extra_parameters was meant for sysadmins
anyway, so disallowing .htaccess to change it seems ok. Objections?

You definitely got a +10000 from me for the exact same reasons, it's
for sysadmins and if you have that in your .htaccess I believe this is
a problem.

Stanislav Malyshev, Zend Software Architect
stas@zend.com http://www.zend.com/
(408)253-8829 MSN: stas@zend.com

--

--
David Coallier,
Founder & Software Architect,
Agora Production (http://agoraproduction.com)
51.42.06.70.18

17 years ago by Jacques Marneweck — view source

unread

Would anyone object to disallowing setting
mail.force_extra_parameters
from .htaccess? The problem is that mail.force_extra_parameters
can pass
arbitrary arguments to mail tool, and some mail tools (especially
one,
guess which ;) have a lot of parameters, that allow, in particular,
reading and writing arbitrary files - which may be a problem with
safe_mode (yes, I know, but we are still in 5.x) and open_basedir.
I understand that mail.force_extra_parameters was meant for sysadmins
anyway, so disallowing .htaccess to change it seems ok. Objections?

You definitely got a +10000 from me for the exact same reasons, it's
for sysadmins and if you have that in your .htaccess I believe this is
a problem.

+1 One less thing for users to change.

Regards
--jm

Stanislav Malyshev, Zend Software Architect
stas@zend.com http://www.zend.com/
(408)253-8829 MSN: stas@zend.com

--

--
David Coallier,
Founder & Software Architect,
Agora Production (http://agoraproduction.com)
51.42.06.70.18