On Sun, Jul 05, 2026 at 06:08:12PM -0700, Ben Wong wrote:
> Source: debbugs
> Version: 2.6.5
> Severity: normal
> Tags: patch
>
> Dear Maintainer,
>
> There is some curious code in Mail.pm:
>
> for my $recipient ($param{parse_for_recipients}?q(-t):(),@recipients)
> eval {
> _send_message($param{message},@sendmail_arguments,$recipient);
>
> As you can see, it sometimes sets $recipient="-t" to modify how
> sendmail works. While clever, it suggests a possible security problem.
> In particular, a recipient address may be interpreted as an option
> flag. For example,
>
> sendmail -oem -oi -oQ/tmp/[email protected] [email protected]
This is assuming that debbugs does not validate recipient addresses before that
point, yes ?
Cheers,
--
Bill. <[email protected]>
Imagine a large red swirl here.