On Wed, Apr 19, 2000 at 03:31:16AM -0300, Rogerio Brito wrote:
> On Apr 19 2000, Adam McKenna wrote:
> > in .qmail-default:
> >
> > /home/user/$EXT/Maildir/
>
> Well, you could use something like:
>
> | someprogram /home/user/"$EXT"/Maildir/
>
> where someprogram is something that gets its message from
> stdin and writes it to the maildir given as parameter.
>
> BTW, as Peter noticed, one should be very careful with these
> things, since $EXT is controlled by the remote "adversary".
Especially now, since $EXT is exposed to at least one level of shell
parsing. When it was in /home/user/$EXT/Maildir/, there where no real
risks, it's just better to be safe than sorry.
In this version, someprogram might just be another shellscript, which means
you're doomed unless you do extensive filtering of variables. A ; or | is
easily inserted.
Greetz, Peter.
--
Peter van Dijk - student/sysadmin/ircoper/madly in love/pretending coder
|
| 'C makes it easy to shoot yourself in the foot;
| C++ makes it harder, but when you do it blows your whole leg off.'
| Bjarne Stroustrup, Inventor of C++
