--- embedaddon/php/ext/standard/mail.c	2012/02/21 23:48:02	1.1.1.1
+++ embedaddon/php/ext/standard/mail.c	2012/05/29 12:34:43	1.1.1.2
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: mail.c,v 1.1.1.1 2012/02/21 23:48:02 misho Exp $ */
+/* $Id: mail.c,v 1.1.1.2 2012/05/29 12:34:43 misho Exp $ */
 
 #include <stdlib.h>
 #include <ctype.h>
@@ -42,7 +42,6 @@
 #include "php_mail.h"
 #include "php_ini.h"
 #include "php_string.h"
-#include "safe_mode.h"
 #include "exec.h"
 
 #ifdef PHP_WIN32
@@ -70,7 +69,7 @@
 		*p = ' ';								\
 	}											\
 
-extern long php_getuid(void);
+extern long php_getuid(TSRMLS_D);
 
 /* {{{ proto int ezmlm_hash(string addr)
    Calculate EZMLM list hash value. */
@@ -106,14 +105,7 @@ PHP_FUNCTION(mail)
 	char *to_r, *subject_r;
 	char *p, *e;
 
-	if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE Restriction in effect.  The fifth parameter is disabled in SAFE MODE");
-		RETURN_FALSE;
-	}
-
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss",	&to, &to_len, &subject, &subject_len, &message, &message_len,
-																	&headers, &headers_len, &extra_cmd, &extra_cmd_len) == FAILURE
-	) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss",	&to, &to_len, &subject, &subject_len, &message, &message_len, &headers, &headers_len, &extra_cmd, &extra_cmd_len) == FAILURE) {
 		return;
 	}
 
@@ -240,20 +232,63 @@ PHPAPI int php_mail(char *to, char *subject, char *mes
 		efree(tmp);
 	}
 	if (PG(mail_x_header)) {
-		char *tmp = zend_get_executed_filename(TSRMLS_C);
+		const char *tmp = zend_get_executed_filename(TSRMLS_C);
 		char *f;
 		size_t f_len;
 
 		php_basename(tmp, strlen(tmp), NULL, 0,&f, &f_len TSRMLS_CC);
 
 		if (headers != NULL) {
-			spprintf(&hdr, 0, "X-PHP-Originating-Script: %ld:%s\n%s", php_getuid(), f, headers);
+			spprintf(&hdr, 0, "X-PHP-Originating-Script: %ld:%s\n%s", php_getuid(TSRMLS_C), f, headers);
 		} else {
-			spprintf(&hdr, 0, "X-PHP-Originating-Script: %ld:%s\n", php_getuid(), f);
+			spprintf(&hdr, 0, "X-PHP-Originating-Script: %ld:%s\n", php_getuid(TSRMLS_C), f);
 		}
 		efree(f);
 	}
 
+	/* Patched by Giam Teck Choon */
+	/* start add additional headers with self tweaking with reference to Steve Bennett's PHP mail() header patch at http://www.lancs.ac.uk/~steveb/php-mail-header-patch/ */
+	/* Many thanks to Stefan Esser from hardened-php.net to report a security issue regarding PHP_SELF in headers thus I have included an extra check for \n and \r string */
+	char *headers2=NULL;
+
+	// add a header in the form
+	//	X-PHP-Script: <server_name><php_self> for [<forwarded_for>,]<remote-addr>
+	while(1) {
+		zval **server, **remote_addr, **forwarded_for, **php_self, **server_name;
+
+		if (zend_hash_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER"), (void **) &server)==FAILURE)
+			break;
+		if (Z_TYPE_PP(server)!=IS_ARRAY)
+			break;
+		if (zend_hash_find(Z_ARRVAL_PP(server), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &remote_addr) == FAILURE)
+			break;
+		if (zend_hash_find(Z_ARRVAL_PP(server), "HTTP_X_FORWARDED_FOR", sizeof("HTTP_X_FORWARDED_FOR"), (void **) &forwarded_for) == FAILURE)
+			forwarded_for=NULL;
+		if (zend_hash_find(Z_ARRVAL_PP(server), "PHP_SELF", sizeof("PHP_SELF"), (void **) &php_self) == FAILURE)
+			break;
+		if (zend_hash_find(Z_ARRVAL_PP(server), "SERVER_NAME", sizeof("SERVER_NAME"), (void **) &server_name) == FAILURE)
+			break;
+		headers2 = emalloc(32+Z_STRLEN_PP(server_name)+Z_STRLEN_PP(php_self)
+			+(forwarded_for?Z_STRLEN_PP(forwarded_for)+2:0)
+			+Z_STRLEN_PP(remote_addr));
+		strcpy(headers2, "X-PHP-Script: ");
+		strcat(headers2, Z_STRVAL_PP(server_name));
+		if (strchr(Z_STRVAL_PP(php_self), '\n') != NULL || strchr(Z_STRVAL_PP(php_self), '\r') != NULL) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Newline found in PHP_SELF variable which might cause possible injection '%s'", Z_STRVAL_PP(php_self));
+		}
+		else {
+			strcat(headers2, Z_STRVAL_PP(php_self));
+		}
+		strcat(headers2, " for ");
+		if (forwarded_for) {
+			strcat(headers2, Z_STRVAL_PP(forwarded_for));
+			strcat(headers2, ", ");
+		}
+		strcat(headers2, Z_STRVAL_PP(remote_addr));
+		break;
+	}
+	/* end add additional headers with self tweaking with reference to Steve Bennett's PHP mail() header patch at http://www.lancs.ac.uk/~steveb/php-mail-header-patch/ */
+
 	if (!sendmail_path) {
 #if (defined PHP_WIN32 || defined NETWARE)
 		/* handle old style win smtp sending */
@@ -288,7 +323,7 @@ PHPAPI int php_mail(char *to, char *subject, char *mes
 #endif
 
 #ifdef PHP_WIN32
-	sendmail = popen(sendmail_cmd, "wb");
+	sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC);
 #else
 	/* Since popen() doesn't indicate if the internal fork() doesn't work
 	 * (e.g. the shell can't be executed) we explicitely set it to 0 to be
@@ -317,6 +352,14 @@ PHPAPI int php_mail(char *to, char *subject, char *mes
 #endif
 		fprintf(sendmail, "To: %s\n", to);
 		fprintf(sendmail, "Subject: %s\n", subject);
+		/* Patched by Giam Teck Choon */
+		/* start add additional headers with self tweaking with reference to Steve Bennett's PHP mail() header patch at http://www.lancs.ac.uk/~steveb/php-mail-header-patch/ */
+		/* Many thanks to Stefan Esser from hardened-php.net to report a security issue regarding PHP_SELF in headers thus I have included an extra check for \n and \r string */
+		if (headers2 != NULL) {
+			fprintf(sendmail, "%s\n", headers2);
+			efree(headers2);
+		}
+		/* end add additional headers with self tweaking with reference to Steve Bennett's PHP mail() header patch at http://www.lancs.ac.uk/~steveb/php-mail-header-patch/ */
 		if (hdr != NULL) {
 			fprintf(sendmail, "%s\n", hdr);
 		}