Markus Fischer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ilia Alshanetsky wrote:
I'm thinking about this from an ISP point of view... we get a lot of
abuse reports because people have poorly written form handlers. It
would be great if we could have PHP insert the full URL, domain name
included, in the mail headers for anything it sends. Would that be
possible?
That is way too much information to include into an e-mail header, this
would in fact be information disclosure vulnerability in many eyes. The
log file that you can enable provides you with the full path to the
script that called mail, which is more then enough to identify the
offending script and/or application.
In case someone would use a library installed on the server were the
mail() call e.g. in /usr/lib/PEAR/lib/php/Mail/Transport/PHP_Mail.php
(just an example) would this really help identifying the cause of the
problem? No Domain, no URL, I think it would be hard to determine who
used it.
Cracking point. Putting the domain in a header would make this far more
useful, and I don't think that's too much info to include in a header.
Ideally it would be the full URL, and I have to say that I don't think
that's too much information for a mail header, and it's exactly what
would be needed.
-Stut
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
