[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> My script is going to
> ask for some comments to be emailed to the administrator. I was going to
> simply pipe everything into qmail-inject, but then once I got into
> untainting the data, this could pose some problems. If I understand all
> this correctly, would simply piping text into qmail-inject open one up
> as a relay?? The malicious user could put valid SMTP headers right in
> the comments and qmail-inject would take it.
qmail-inject can take an option to prevent it from using any recipients
listed in the message headers. The default is to only look at headers
for recipients if none are specified on the commandline.
Therefore, if you script opens qmail-inject like this:
qmail-inject [other options] [EMAIL PROTECTED]
Then it doesn't matter what the message content is; it will all go to
[EMAIL PROTECTED], so no relaying happens.
Charles
--
-----------------------------------------------------------------------
Charles Cazabon <[EMAIL PROTECTED]>
GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
-----------------------------------------------------------------------
