Although having a strong focus on Ruby on Rails development in Germany we occasionally have a look at legacy code for friends of us (or some few customers having those dark spots and willing to pay compensation for pain and suffering usually coming with those requests).
What I saw yesterday nearly made me fall off my chair. It started with (a friend) sending me a document with hostname and credentials for FTP access. The username (of course) nearly was the password. But that's okay, I'm almost used to it. As pure FTP is obsolete and should not be used due to several reasons anyway I don't even care about that too much.
After logging in it took some time for me to realize that they're doing some really weird stuff in their .htaccess:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
RewriteRule ^$ /files/index.php [L]
RewriteRule ^([^/]+)\\.html /files/$1.php [L]
It makes the httpd deliver /files/foo.php when /foo.html is requested - I did not find out what's the purpose of this rewrite condition (and I definitively will not ask anyone to explain).
After deeply breathing I looked at the actual file (/files/contact.php) that "causes trouble" as mails sent from the contact site do not contain special characters:
And there we jump on the failtrain…
$handle = @fsockopen("hostname.tld", 25);
Those of you familiar with TCP ports might guess what's next…
At the end the script re-implemented (parts of) php.net/mail. Regardless to say that the "implementation" was not really complete and the broken special characters resulted from that.
A final
header("Location: ./kontakt.html?done=1");
finalized the glorious piece of code.
Lessons learned: If you plan to start a feature by opening a socket (be it listening or connecting) at least think twice and maybe ask a colleague about your idea. It's very likely that you're about to reinvent the wheel.
