A NOTE has been added to this issue. ====================================================================== http://www.dbmail.org/mantis/view.php?id=323 ====================================================================== Reported By: michael Assigned To: ====================================================================== Project: DBMail Issue ID: 323 Category: PIPE delivery (dbmail-smtp) Reproducibility: always Severity: major Priority: normal Status: new ====================================================================== Date Submitted: 11-Apr-06 18:26 CEST Last Modified: 11-Apr-06 18:41 CEST ====================================================================== Summary: pipe to sendmail is opened incorrect Description: popen spawns a shell, the shell when gets <emailaddress>, treats it as some kind of I/O redirect. -f param should be enclosed with '. Also, it is non secure, because shell can extract variables...
Also, need to check if there are other popens in the code ====================================================================== ---------------------------------------------------------------------- michael - 11-Apr-06 18:41 ---------------------------------------------------------------------- The thing I did is ugly, and does not work. If the From: is like: "me '$SOME_ENV_VAR, or `passwd root`' <[EMAIL PROTECTED] it will be passed to shel as it is Issue History Date Modified Username Field Change ====================================================================== 11-Apr-06 18:26 michael New Issue 11-Apr-06 18:26 michael File Added: forward.c.popen.patch 11-Apr-06 18:41 michael Note Added: 0001080 ======================================================================
