Last modified: 2011-03-13 18:04:43 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 664 - UserMailer.php php mail() -f additional parameter field for SMTP mail sender envelope vs. PHP safe mode enabled
UserMailer.php php mail() -f additional parameter field for SMTP mail sender ...
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
PC Linux
: Lowest normal with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-08 04:02 UTC by d-killer
Modified: 2011-03-13 18:04 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description d-killer 2004-10-08 04:02:13 UTC
-- UserMailer.php      2004-10-08 00:42:46.000000000 +0200
+++ UserMailer.php~     2004-10-08 00:42:46.000000000 +0200
@@ -52,7 +52,7 @@

                 $wgErrorString = "";
                 set_error_handler( "mailErrorHandler" );
 -               mail( $to, $subject, $body, $headers, "-f {$from}" );
 +               mail( $to, $subject, $body, $headers );
                 restore_error_handler();

                 return $wgErrorString;
Comment 1 T. Gries 2004-11-05 19:02:38 UTC
Brion: this is already fixed together with my Enotif patch since several weeks.
For Enotif see http://bugzilla.wikipedia.org/show_bug.cgi?id=454 . For those
being interested why the optional fifth parameter is necessary: read PHP manual
mail() function. 

Tom
Comment 2 Brion Vibber 2005-06-02 03:10:05 UTC
-f sets the envelope sender in the SMTP headers, not the From: address in the e-mail.

Using the from address for this would usually be incorrect and would result in many mails 
being dropped as spam (eg by SPF checking). It could also result in bounce messages being 
sent to the From: address, which could violate out privacy policy. Using the server admin 
contact address from LocalSettings.php would likely very often be incorrect and result in 
mails being dropped as spam (eg by SPF checking).

Use of the additional parameters field is also disabled in safe mode, and would break all e-
mail sending.

At worst, dropping the address into the command-line parameter could be a security 
vulnerability if not escaped properly.

If the envelope sender needs to be set differently, the web server's php.ini should ensure 
that this is set correctly.
Comment 3 T. Gries 2005-06-19 13:07:30 UTC
(In reply to comment #2)
> -f sets the envelope sender in the SMTP headers, not the From: address in the
e-mail.
> 
> Using the from address for this would usually be incorrect and would result in
many mails 
> being dropped as spam (eg by SPF checking). It could also result in bounce
messages being 
> sent to the From: address, which could violate out privacy policy. Using the
server admin 
> contact address from LocalSettings.php would likely very often be incorrect
and result in 
> mails being dropped as spam (eg by SPF checking).
> 
> Use of the additional parameters field is also disabled in safe mode, and
would break all e-
> mail sending.
> 
> At worst, dropping the address into the command-line parameter could be a
security 
> vulnerability if not escaped properly.
> 
> If the envelope sender needs to be set differently, the web server's php.ini
should ensure 
> that this is set correctly.
> 
(copying all for completeness)

Brion,

someone has contacted me, who runs a wiki hosted on an external server, and PHP
SAFE MODE is enabled there. 
The wiki mail functions do not work which is due to this -f envelope parameter
and safe mode enabled (which he perhaps cannot disable).

What will be the best suggestion and solution for these cases ?
What should the user change within the UserMailer() mail function or somewhere
else ?

Remark for all:
this php mail() problem is not restricted to the enotif functions; it is vital
for _all_ wiki mail functions such as "Mail me a new password" or "EmailUser"
which all go via UserMailer:UserMailer() .

Thanks in advance for assistance
Tom

Comment 4 T. Gries 2005-06-19 13:13:29 UTC
(changed title)

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links