Pawe? Grzesik:
> IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|

And there you have a giant security hole. What happens if an email
address contains shell special characters? You specify flags=Rq in
the pipe daemon command, but that quotes email addresses according
to RFC822, not to make them resistant against shell command injection.

(Note that the shell script example in FILTER_README does not
have this issue becasue that does not re-parse its arguments).


Reply via email to