Hi, I've fixed the pipe.c vulnerability, by putting the string sent to the shell (with popen()) between single quotes, and escaping all single quotes in the string.
The new 1.2.1 version, and a patch against 1.2 can be downloaded from www.dbmail.org. Please upgrade from 1.x to 1.2.1 the 2.0 branch is fixed in CVS. Do we need to release an alpha2 version? If so, I'll do it tomorrow the upgrade to 1.2.1 also includes the postgresql database definition changes (foreign keys and indexes) Cheers, Ilja -- IC&S Koningsweg 4 3582 GE UTRECHT PGP-key: http://www.ic-s.nl/keys/ilja.txt
