Last modified: 2011-03-13 18:04:43 UTC
-- UserMailer.php 2004-10-08 00:42:46.000000000 +0200 +++ UserMailer.php~ 2004-10-08 00:42:46.000000000 +0200 @@ -52,7 +52,7 @@ $wgErrorString = ""; set_error_handler( "mailErrorHandler" ); - mail( $to, $subject, $body, $headers, "-f {$from}" ); + mail( $to, $subject, $body, $headers ); restore_error_handler(); return $wgErrorString;
Brion: this is already fixed together with my Enotif patch since several weeks. For Enotif see http://bugzilla.wikipedia.org/show_bug.cgi?id=454 . For those being interested why the optional fifth parameter is necessary: read PHP manual mail() function. Tom
-f sets the envelope sender in the SMTP headers, not the From: address in the e-mail. Using the from address for this would usually be incorrect and would result in many mails being dropped as spam (eg by SPF checking). It could also result in bounce messages being sent to the From: address, which could violate out privacy policy. Using the server admin contact address from LocalSettings.php would likely very often be incorrect and result in mails being dropped as spam (eg by SPF checking). Use of the additional parameters field is also disabled in safe mode, and would break all e- mail sending. At worst, dropping the address into the command-line parameter could be a security vulnerability if not escaped properly. If the envelope sender needs to be set differently, the web server's php.ini should ensure that this is set correctly.
(In reply to comment #2) > -f sets the envelope sender in the SMTP headers, not the From: address in the e-mail. > > Using the from address for this would usually be incorrect and would result in many mails > being dropped as spam (eg by SPF checking). It could also result in bounce messages being > sent to the From: address, which could violate out privacy policy. Using the server admin > contact address from LocalSettings.php would likely very often be incorrect and result in > mails being dropped as spam (eg by SPF checking). > > Use of the additional parameters field is also disabled in safe mode, and would break all e- > mail sending. > > At worst, dropping the address into the command-line parameter could be a security > vulnerability if not escaped properly. > > If the envelope sender needs to be set differently, the web server's php.ini should ensure > that this is set correctly. > (copying all for completeness) Brion, someone has contacted me, who runs a wiki hosted on an external server, and PHP SAFE MODE is enabled there. The wiki mail functions do not work which is due to this -f envelope parameter and safe mode enabled (which he perhaps cannot disable). What will be the best suggestion and solution for these cases ? What should the user change within the UserMailer() mail function or somewhere else ? Remark for all: this php mail() problem is not restricted to the enotif functions; it is vital for _all_ wiki mail functions such as "Mail me a new password" or "EmailUser" which all go via UserMailer:UserMailer() . Thanks in advance for assistance Tom
(changed title)
