Description of problem:
When a script on the webserver sends mail, using PHP's mail(), it embeds some extra headers:
These *cannot* be configured to be turned off, and leak private information!
The recipient of an email that has been routed through this webserver should not be able to discover the sender's IP address.
This feature is not mentioned in php.ini, and cannot be controlled by it. Instead, it is hardcoded in the RPM's php-mail.diff
I see why the feature exists - it can be useful to prevent spam and other abuse of webserver mail forms. BUT it's a rather nasty privacy hole in certain cases.
(I originally mistakenly reported it as a PHP bug upstream, see URL above for more details).
All the time.
Steps to Reproduce:
1. Use PHP's mail() function in a webserver script.
2. Read the mail; observe the extra headers.
1. At least document this somewhere - and add a comment to php.ini.
2. Make it configurable (in php.ini) and imho, default to off.
3. The feature should probably be an upstream one?
4. Nonstandard headers should begin with "X-", eg "X-MAGEIA-HTTP-POSTING-CLIENT".
Workaround: use Postfix to strip these headers out again (assuming that the MTA in use actually is postfix):
1. Enable header-checks, in /etc/postfix/main.cf :
header_checks = regexp:/etc/postfix/header_checks
2. Specify the headers to strip, in /etc/postfix/header_checks :
Hi, thanks for reporting this bug.
Assigned to the package maintainer.
(Please set the status to 'assigned' if you are working on it)
According to Rasmus, https://bugs.php.net/bug.php?id=61131 , this particular patch is doing the wrong thing, in the wrong way.
(The right way to get this info is to use PHP's existing mail.add_x_header option, then get the client info from the logfiles)
Given that, imho, the PLD patch, php-mail.diff is both harmful and redundant, may I suggest simply dropping it?
I will take it out if nobody objects. We still have some time before the release of mga2 to test it.
Patch removed. Would yyyyyyyyyyyyyyou please test it.
I'll be happy to test it. Where is the package? (Maybe it hasn't hit the mirrors yet?)
It installed here from ftp://mirrors.kernel.org
Resolved and fixed