IMPORTANT NOTE
If you have downloaded the old patch (before 12 Nov 2006), you are strongly adviced to re-download and patch your php using the new patch as it fixed one potential security risk.
Introduction
Last Updated: 15 Apr 2021 GMT +8.
This is a patch to add an informational header to messages sent from PHP via the mail() function. This can help to track which script on a server was used to send a message, and which client caused it to be sent.
The header added has the form:
X-PHP-Script: <servername><php-self> for <remote-addr>
For example:
X-PHP-Script: www.example.com/~user/testapp/send-mail.php for 10.0.0.1
If the connection appears to have come via a proxy cache (i.e. has an "X-Forwarded-For" header), is a list of addresses (the addresses in X-Forwarded-For, then the 'real' remote address).
Read more at Steve Bennett's patch as I created my patches according to his patch with a little tweak/modification since his patch only available for version 4.3.4 during the time I checked and also won't be working for mail function example 1 as listed at php manual. Steve Bennett's original patch can be found here.
Disclaimer
Use at your own risk! You are free to use this script/patches/guide as long as you aware that CHOON.NET or Giam Teck Choon will not be liable for any losses and damages in connection with the use of this site's provided patches or information whatsoever. You have been warned!
Changes
- 17 Mar 2023 GMT +8
- Add version 8.2.x patch.
- For version 8.2.3 and below, please use 8.1.x patch instead.
- Thanks to Nathan Coulson for alerting me about the 8.0.x patch doesn't work for version 8.2.4.
- 17 Mar 2023 GMT +8
- Add version 8.1.x patch.
- 15 Apr 2021 GMT +8
- Add version 8.0.x patch.
- 29 Nov 2019 GMT +8
- Add version 7.4.x patch.
- 07 Dec 2018 GMT +8
- Add version 7.3.x patch.
- 08 Dec 2017 GMT +8
- Update to support version 7.2.x patch.
- 18 Oct 2017 GMT +8
- Update to support version 7.1.x patch.
- Fix crash for version 7.0.x patch. Use Alexey Koscheev's patch from koscheev.ru and test success with nginx/php-fpm
- 21 Oct 2016 GMT +8
- Fix compile for version 7.0.x patch. Thanks to Ihor Piddubnyak from Surftown
- 15 Mar 2016 GMT +8
- Move zend_is_auto_global("_SERVER", sizeof("_SERVER") - 1 TSRMLS_CC); out of while loop and protect variable from changing by user. Many thanks to Alexey Koscheev from koscheev.ru.
- The change is in version 5.3.x, 5.4.x, 5.5.x, 5.6.x and 7.0.x patches
- 10 Mar 2016 GMT +8
- Hint PHP that we are going to use $_SERVER in advance by calling zend_is_auto_global("_SERVER", sizeof("_SERVER") - 1 TSRMLS_CC); and this resolves issues when running PHP in CGI mode. Many thanks to Alexey Koscheev from koscheev.ru.
- This fix are in version 5.4.x, 5.5.x, 5.6.x and 7.0.x patches
- 22 Jun 2013 GMT +8
- Updated to support version 5.5.x
- 06 Mar 2012 GMT +8
- Updated to support version 5.4.x
- 11 Dec 2010 GMT +8
- Updated to support version 5.2.15
- Updated to support version 5.3.4
- 08 Aug 2010 GMT +8
- Updated to support version 5.2.14
- Updated to support version 5.3.3
- 20 Mar 2010 GMT +8
- Updated to support version 5.2.13
- Updated to support version 5.3.2
- 18 Dec 2009 GMT +8
- Updated to support version 5.2.12
- 02 Dec 2009 GMT +8
- Updated to support version 5.3.1
- 30 Sep 2009 GMT +8
- Updated to support version 5.2.11
- 02 Jul 2009 GMT +8
- Updated to support version 5.2.10
- Updated to support version 5.3.0
- 31 Mar 2009 GMT +8
- Updated to support version 5.2.9
- 09 Dec 2008 GMT +8
- Updated to support version 5.2.8
- 15 Sep 2008 GMT +8
- Updated to support version 4.4.9
- 09 May 2008 GMT +8
- Updated to support version 5.2.6
- 07 Jan 2008 GMT +8
- Updated to support version 4.4.8
- 11 Nov 2007 GMT +8
- Updated to support version 5.2.5
- 03 Sep 2007 GMT +8
- Updated to support version 5.2.4
- 04 Jun 2007 GMT +8
- Updated to support version 5.2.3
- 06 May 2007 GMT +8
- Updated to support version 4.4.7 and 5.2.2
- 04 Mar 2007 GMT +8
- Updated to support version 4.4.6
- 20 Feb 2007 GMT +8
- Updated to support version 4.4.5 and 5.2.1
- 12 Nov 2006 GMT +8
- Updated to support version 5.2.0
- Many thanks to Stefan Esser from hardened-php.net to report a security issue regarding PHP_SELF in headers thus I have included an extra check for \n and \r string
- 25 Aug 2006 GMT +8
- Updated to support version 5.1.6
- 23 Aug 2006 GMT +8
- Updated to support version 4.4.4 and 5.1.5
- 05 Aug 2006 GMT +8
- Updated to support version 4.4.3
- 16 Jan 2006 GMT +8
- Updated to support version 4.4.2
- 03 Nov 2005 GMT +8
- Updated to support version 4.4.1
- 11 Sep 2005 GMT +8
- Updated to support version 5.0.5
- 12 Jul 2005 GMT +8
- Updated to support version 4.4.0
- 02 Apr 2005 GMT +8
- Updated to support version 5.0.4 and 4.3.11
- 17 Dec 2004 GMT +8
- Updated to support version 5.0.3 and 4.3.10
- 26 Nov 2004 GMT +8
- Updated to support version 5.0.2
- 2 Oct 2004 GMT +8
- Updated to support version 4.3.9
- 17 Jul 2004 GMT +8
- Updated to support version 4.3.8
Download Patches
- 5.3.x md5sum 0b0f71600762d32a816b83df1a82c202
- 5.4.x md5sum ca09ef83f6e28495a8c64b7aa44b28a7
- 5.5.x md5sum 902d7838697f50eb6e9f7e37acf226d0
- 5.6.x md5sum 941791abe1ad212876d4e2cee74a52db
- 7.0.x md5sum db9895c017ab495a08c97a2c9bebfd41
- 7.1.x md5sum d34d031978d371531373dbc5e9146ca2
- 7.2.x md5sum 6c3fd8b66da9682a68c53bb12db7a3e4
- 7.3.x md5sum aa968d29317de9dccb1fa18ddbd7a547
- 7.4.x md5sum 7018b81b0151ea787d54bc81463ad291
- 8.0.x md5sum 838e3a975e6f53a090bbbd6993751fe5
- 8.1.x md5sum 74941c7a73bc113305e960f6f027354c
- 8.2.x md5sum 7411c25877aa6ba2f75616da46956580
Looking for old patches? → Please Help Yourself
How to Apply the Above Patch?
Example for php version 5.4.45:
cd /usr/local/src
wget http://us2.php.net/get/php-5.4.45.tar.bz2/from/this/mirror
wget http://choon.net/opensource/php/php-5.4.x-mail-header.patch
tar jxvfp php-5.4.45.tar.bz2
cd php-5.4.45
patch -p1 < ../php-5.4.x-mail-header.patch
- Line 1: Change current working directory to /usr/local/src
- Line 2: Download php version 5.4.45 source
- Line 3: Download php mail header patch for version 5.4.45
- Line 4: Unpack php version 5.4.45 source
- Line 5: Change current working directory to the newly unpacked php source
- Line 6: Apply php mail header patch
Configure and compile and install as usual which I am not going to cover here.
How to Test?
Download this example php script and rename it to ended as .php extension in your server then point your browser to it provided you have changed the variable $to in the example script to your valid email address: