>> I really think to be safe we should simply >> replace any shell metacharacters for those things, > >I'm not sure that could be done completely safely. See below about not >using /bin/sh -c.
Our official list of shell metacharacters in argsplit() is:
#define METACHARS "$&*(){}[]'\";\\|?<>~`\n"
It seems like replacing all of those for any MIME parameter we encounter
would make sense, and would be safe?
--Ken
--
Nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers
