Jim Gifford wrote:The only thing I have in my shell that uses variables is amavis. Here is the amavis section...
FROM=escape($SENDER)...TO=escape($RECIPIENT) xfilter "/usr/sbin/amavis debug $SENDER $RECIPIENT"
/me snickers
So, you've gone to the trouble of escaping SENDER and RECIPEINT so that you have shell-safe values in FROM and TO, but then use SENDER and RECIPIENT on the command line? :)
xfilter "/usr/sbin/amavis debug $FROM $TO"
In all fairness, this was part of some (incorrect) instructions distributed with a patch or something. I'm a little fuzzy in the brain today, so I don't remember exactly where I got them from, but I ran into the same set of instructions for amavis. I pointed it out to the author, at which point he argued that he was right and I was wrong. So, I decided it wasn't worth the battle.
So, take pity on those following instructions without fully understanding what's going on...
I just think it's a real testament to the need to be careful which instructions we follow, and the possible security implications of simple mistakes.
Just my 2 cents worth,
David
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
