Pawe? Grzesik:
> Good point. I changed it to:
> IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
> So now it should be secure (same as using $@ instead of $*).
> Am I right? or I'm still missing something?

Sorry, that is still a shell command line. You need an API that
passes a vector of arguments, not a command line.

Such as Python's

    os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").

This bug is actually very old. An early publication is at


Reply via email to