On Sun, 05 Jul 2026, Ben Wong wrote:n
> Source: debbugs
> Version: 2.6.5
> Severity: normal
> Tags: patch
> 
> Dear Maintainer,
> 
> There is some curious code in Mail.pm:
> 
>     for my $recipient ($param{parse_for_recipients}?q(-t):(),@recipients)
>         eval {
>             _send_message($param{message},@sendmail_arguments,$recipient);
> 
> As you can see, it sometimes sets $recipient="-t" to modify how
> sendmail works. While clever, it suggests a possible security problem.
> In particular, a recipient address may be interpreted as an option
> flag. For example,
> 
>     sendmail -oem -oi -oQ/tmp/[email protected] [email protected]

Yeah, this is something we should fix, since you could have a mail
address starting with -. Not sure exactly if sendmail parses that
correctly.

The patch has some extraneous changes and should be simplified a bit (we
should put -t into @sendmail_arguments instead, or have it use -t when
there isn't any recipients instead of calling the same code twice.)

I'll look into this later on today.

-- 
Don Armstrong                      https://www.donarmstrong.com

Your absence has gone through me
Like thread through a needle.
Everything I do is stitched with its color.
 -- W. S. Merwin "Poetry in Motion" p107

Reply via email to