On Sun, 05 Jul 2026, Ben Wong wrote:n
> Source: debbugs
> Version: 2.6.5
> Severity: normal
> Tags: patch
>
> Dear Maintainer,
>
> There is some curious code in Mail.pm:
>
> for my $recipient ($param{parse_for_recipients}?q(-t):(),@recipients)
> eval {
> _send_message($param{message},@sendmail_arguments,$recipient);
>
> As you can see, it sometimes sets $recipient="-t" to modify how
> sendmail works. While clever, it suggests a possible security problem.
> In particular, a recipient address may be interpreted as an option
> flag. For example,
>
> sendmail -oem -oi -oQ/tmp/[email protected] [email protected]
Yeah, this is something we should fix, since you could have a mail
address starting with -. Not sure exactly if sendmail parses that
correctly.
The patch has some extraneous changes and should be simplified a bit (we
should put -t into @sendmail_arguments instead, or have it use -t when
there isn't any recipients instead of calling the same code twice.)
I'll look into this later on today.
--
Don Armstrong https://www.donarmstrong.com
Your absence has gone through me
Like thread through a needle.
Everything I do is stitched with its color.
-- W. S. Merwin "Poetry in Motion" p107