One more thing - check out the smtp package in the new Standard Tcl Library.
Perhaps we should both be using that.
http://dev.scriptics.com/software/tcllib
>>>Kristoffer Lawson said:
>
> I noticed that in mail.tcl you directly pass the given email address
> to sendmail in exec. The command is as follows:
>
> exec $Mail(program) $sendto << $message
>
> I believe there might be a possibility for a security issue here if the
> user is able to set the email address to something containing those
> magic characters used by exec (like >). I have not yet studied thoroughly
> if this is actually possible in any circumstances and it would be nice to
> be assured that this is secure.
>
> I stumbled across this while building my own software using sendmail in a
> similar fashion. Apparently there is no easy way of dealing with this, as
> there are no (documented) escape characters to exec. The clean solution to
> this would be to provide a secure exec where the input/output options have
> to be given as actual options as in:
>
> newExec -outputToFile /dev/null ls /
>
> (one might argue that this is cleaner than using the special characters)
>
> Alternatively the command could be given as one string:
>
> anotherExec "ls /" > /dev/null
>
> - ---------- = = ---------//--+
> | / Kristoffer Lawson | www.fishpool.fi|.com
> +-> | [EMAIL PROTECTED] | - - --+------
> |-- Fishpool Creations Ltd - / |
> +-------- = - - - = --------- /~setok/
>
-- Brent Welch <[EMAIL PROTECTED]>
http://www.ajubasolutions.com
Scriptics changes to Ajuba Solutions
scriptics.com => ajubasolutions.com
