I'll revise the patch to allow for older configurations to work. I find it somewhat strange that you do not see a problem with allowing a function not intended for command execution to act as such. For the record not only safe_mode is affected, people who rely on disable_functions INI directive to disallow command execution would also be affected. Not to mention that this results in SIGPIPE and several writes to an invalid file descriptor.
The BC break itself is not something that would force people to rewrite their code, the fix is a single line change inside PHP.ini that would make their system more secure and prevent searching for sendmail binary on every execution making the e-mail sending process slightly faster. Ilia On October 10, 2003 12:08 pm, Sascha Schumann wrote: > I don't buy the security line you are trying to tuck onto > your non-silent termination patch. If you are concerned > about safe mode, fine, enable the patch for safe mode only. > > Having a warning in the case that the shell execution failed > (it returns a non-zero error code, right?) makes sense, but > you are intentionally breaking configurations which work > flawlessly with older PHP versions. > > - Sascha > > On Fri, 10 Oct 2003, Ilia Alshanetsky wrote: > > Sascha, > > > > The purpose of the patch is to prevent silent termination of mail() when > > sendmail_path contains a non-existant path or a non-executable file. The > > backwards compatibility break was unintentional, however previous > > behavior may in fact be a security issue. Consider the following > > situation. I have sendmail_path set to "sendmail -t", inside my script I > > set PATH to ".", now by placing any executable file (sendmail) inside the > > current (or specified directory) I can execute it freely bypassing > > safe_mode, open_basedir and any other limitations. Same would be true is > > someone were to place a 'hostile' sendmail binary inside a directory > > who's PATH order precedes that of the real sendmail. It would allow the > > attacker to capture all text send by PHP via e-mail. > > As I understand part of the reason for making sendmail_path system INI > > directive was to allow the server admin & only the server admin to > > control this directive. By allowing incomplete paths we potentially allow > > user to act as an admin. > > > > Ilia -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
