Bug 4571 - PHP's mail() SRPM contains a patch that leaks private information
Summary: PHP's mail() SRPM contains a patch that leaks private information
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thomas Spuhler
QA Contact:
URL: https://bugs.php.net/bug.php?id=61131
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2012-02-18 07:12 CET by Richard Neill
Modified: 2012-03-22 05:41 CET (History)
0 users

See Also:
Source RPM: php-5.3.10-2.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Richard Neill 2012-02-18 07:12:22 CET 
Description of problem:

When a script on the webserver sends mail, using PHP's mail(), it embeds some extra headers:

  HTTP-Posting-Client: USERS_IP_ADDRESS
  HTTP-Posting-URI: MY_WEBSITE:80/PATH/TO/FILE.php
  HTTP-Posting-User-Agent: THE_USER_AGENT

These *cannot* be configured to be turned off, and leak private information!
The recipient of an email that has been routed through this webserver should not be able to discover the sender's IP address.

This feature is not mentioned in php.ini, and cannot be controlled by it. Instead, it is hardcoded in the RPM's php-mail.diff 

I see why the feature exists - it can be useful to prevent spam and other abuse of webserver mail forms. BUT it's a rather nasty privacy hole in certain cases.

(I originally mistakenly reported it as a PHP bug upstream, see URL above for more details).

How reproducible:

All the time.

Steps to Reproduce:
1. Use PHP's mail() function in a webserver script.
2. Read the mail; observe the extra headers.


Proposed Solutions:

1. At least document this somewhere - and add a comment to php.ini.
2. Make it configurable (in php.ini) and imho, default to off.
3. The feature should probably be an upstream one?
4. Nonstandard headers should begin with "X-", eg "X-MAGEIA-HTTP-POSTING-CLIENT".
Comment 1 Richard Neill 2012-02-18 08:07:28 CET 
Workaround: use Postfix to strip these headers out again (assuming that the MTA in use actually is postfix):

1. Enable header-checks, in /etc/postfix/main.cf :
    header_checks = regexp:/etc/postfix/header_checks

2. Specify the headers to strip, in /etc/postfix/header_checks :

/^HTTP-Posting-Client:/      	IGNORE
/^HTTP-Posting-URI:/     	IGNORE
/^HTTP-Posting-User-Agent:/     IGNORE
Comment 2 Manuel Hiebel 2012-02-19 09:00:20 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => thomas

Comment 3 Richard Neill 2012-03-10 07:05:04 CET 
According to Rasmus, https://bugs.php.net/bug.php?id=61131 , this particular patch is doing the wrong thing, in the wrong way.

(The right way to get this info is to use PHP's existing mail.add_x_header option, then get the client info from the logfiles)

Given that, imho, the PLD patch, php-mail.diff is both harmful and redundant, may I suggest simply dropping it?
Comment 4 Thomas Spuhler 2012-03-11 00:37:07 CET 
I will take it out if nobody objects. We still have some time before the release of mga2 to test it.

Status: NEW => ASSIGNED

Comment 5 Thomas Spuhler 2012-03-16 03:45:39 CET 
Patch removed. Would yyyyyyyyyyyyyyou please test it.
Comment 6 Richard Neill 2012-03-16 04:06:22 CET 
I'll be happy to test it. Where is the package?  (Maybe it hasn't hit the mirrors yet?)
Comment 7 Thomas Spuhler 2012-03-17 16:32:57 CET 
It installed here from ftp://mirrors.kernel.org
Comment 8 Thomas Spuhler 2012-03-22 05:41:18 CET 
Resolved and fixed

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.