Good point. I changed it to:

IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|

So now it should be secure (same as using $@ instead of $*).
Am I right? or I'm still missing something?


2016-10-13 11:50 GMT+01:00 Wietse Venema <>:

> Pawe? Grzesik:
> > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
> And there you have a giant security hole. What happens if an email
> address contains shell special characters? You specify flags=Rq in
> the pipe daemon command, but that quotes email addresses according
> to RFC822, not to make them resistant against shell command injection.
> (Note that the shell script example in FILTER_README does not
> have this issue becasue that does not re-parse its arguments).
>         Wietse

Reply via email to