Bug #22214

in class t3lib_htmlmail, function sendTheMail() uses a problematic @ini_set for sendmail_from

Added by Stephan Seitz almost 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2010-03-01
Due date:
% Done:

0%

TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If php has been built with suhosin and runs via FCGI SAPI, the @ini_set() function call is not ignored (which is obviously expected). Instead, the php process quits without closing the fcgi handler properly.
Due to the lack of proper fcgi communication, the webserver returns an error 500.

This can be seen as a faulty php behaviour.
Anyway, the @ini_set() call does not work on most Unices, except the administrator configured the local MTA to accept manipulation from unprivileged users which is highly discouraged.
To keep the fix narrow, I suggest to use @ini_set() only if TYPO3_OS == WIN as Windows seems to be the only OS in the wild which accepts such header manipulations without any privilege problems.

Install some php5.2 with suhosin path and run it with fastcgi or fcgi. Using sendTheMail() by e.g. frontend user registrion gives you a reproducable 500 server error.
Remove @ini_set() in t3lib_htmlmail::sendTheMail() and the problem is fixed without any loss of functionality.

Keeping a wider view on sendTheMail(), I suggest to open a discussion if php's mail() shouldn't get replaced by a SMTP handler.
mail() has been into php since the very beginning without any greater modifications, but in more and more shared hosting environments it's use is technically restricted or banned by contract.
There have been fruitless discussions about the issue at the php bugtracker, so it's unlikely to get an advanced SMTP-capable mail() function. Pear's net_SMTP provides classes which could obsolete the use of mail() completely.
(issue imported from #M13701)

bug_13701_against_trunk.diff (2.15 KB) Administrator Admin, 2010-05-10 17:48

bug_13701.diff View (959 Bytes) Administrator Admin, 2010-05-10 17:48

History

#1 Updated by Julian Hofmann over 7 years ago

Stephan's RFC on the Core-list has not succeeded in a fix.
For interessent users, I've added his patches here.

#2 Updated by Georg Schönweger over 7 years ago

We are having +- the same probleme here on Ubuntu with PHP 5.2.10 (Suhosin 0.9.7)
We tried with PHP as cgi skript and NGINX as Webserver. There we get a 502 Bad Getaway Page, the php-cgi process dies, the FE-Output breaks.
Then we believed this is a NGINX <--> php-cgi Problem so we installed again Apache2 with php as module (always PHP 5.2.10, which is standart in Ubuntu 9.10). There we had this error entries in Apaches error log file:
[Thu May 13 16:35:21 2010] [error] [client 87.12.93.26] ALERT - canary mismatch on efree() - heap overflow detected (attacker '87.12.93.26', file '/usr/local/nginx/html/typo3_src-4.2.12/t3lib/class.t3lib_htmlmail.php', line 718), referer: http://www.snillo.it/my-account/registrati/
So the Problem is the ini_set function. Now all extensions which are using the class.t3lib_htmlmail are affected by this "bug" For example also commerce is affected.
Now in Apache2 we do not get a 502 or 500 Error, but the Script / Extensions which are using t3lib_htmlmail has strange behavior, like duplicated mails or duplicated orders, wrong messages, redirects ecc.

So i think this is a big Problem because
1. it's hard to recognize (maybe many people are using Ubuntu and they do not even know that they have this bug.)
2. Because of the really bad behavior (2 orders instead of 1 in case of commerce ecc.)

Can anyone else post his PHP / Suhosin Version, so we can see if this is related to certain PHP Versions?

My solution for now is to disable the ini_set function in php.ini, seems to work fine, but i do not know if this has other bad side effects.

#3 Updated by Christian Kuhn over 7 years ago

Committed bug_13701.diff to:
  • trunk rev. 7787
  • 4.3 rev. 7788

Also available in: Atom PDF