In article <20141217131849.r2prgpje%sdao...@yandex.com>, Steffen Nurpmeso <sdao...@yandex.com> wrote: >This is fully yours and who am i but > > |Added expandaddr option to explicitly enable this behavior. > >why does a Christos Zoulas silently wave through this sloppy >programmed shit from oss-sec that simply returns from outof() >instead of giving any indication on what is going on? >Unbelievable.
All you have to do is to set a variable to get the previous behavior, and this is now documented. It is unexpected behavior that a mail program can run commands on behalf of the user using special syntax. Just a few weeks ago, we fixed a similar issue in ftp. Why didn't you complain for that? I believe that all maintained versions of mail upstream are being adjusted to comply with this. What's the downside? Or are you sure that everything that passes addresses to the mail program command line sanitizes their addresses properly? christos