On Sun, Jul 05, 2026 at 06:08:12PM -0700, Ben Wong wrote:
> Source: debbugs
> Version: 2.6.5
> Severity: normal
> Tags: patch
> 
> Dear Maintainer,
> 
> There is some curious code in Mail.pm:
> 
>     for my $recipient ($param{parse_for_recipients}?q(-t):(),@recipients)
>         eval {
>             _send_message($param{message},@sendmail_arguments,$recipient);
> 
> As you can see, it sometimes sets $recipient="-t" to modify how
> sendmail works. While clever, it suggests a possible security problem.
> In particular, a recipient address may be interpreted as an option
> flag. For example,
> 
>     sendmail -oem -oi -oQ/tmp/[email protected] [email protected]

This is assuming that debbugs does not validate recipient addresses before that
point, yes ?

Cheers,
-- 
Bill. <[email protected]>

Imagine a large red swirl here. 

Reply via email to