Thanks for the reply Sam! A follow up question below. :-) -----Original Message----- > From: Sam Varshavchik [mailto:mr...@courier-mta.com] Sent: May 27, 2014 3:10 PM To: 'courier-users@lists.sourceforge.net' Subject: Re: [courier-users] Problems escaping subject line and mailbot
mi...@bitblock.net writes: > If I’m expecting the wrong thing, can someone please point me in the > right direction? What you want to do is /not/ escape SUBJECT, but rather let the shell handle the expansion: cc "| $MAILBOT … -s\"Subject: AUTO-REPLY: (\$SUBJECT)\" … " This ends up executing the following command by the shell: mailbot … -s"Subject: AUTO_REPLY ($SUBJECT)" maildrop exports all variables into th shell's environment. The shell is going to do variable substitution in the parameter, by itself. [Mitch says:] I had been under the impression that we needed to escape any variables that would be passed out of maildrop due to concerns that someone might embed something nasty in something presumed safe. I know I'm probably wrong about this because I've been a fan of courier since 0.37 because of your caution about bad practice / bad code... but what keeps it safe without the escape? Like if someone set the subject to : Subject: '" ; rm -rf / & Or something similar - without the escape the quotes could end the -s parameter, the ; ends the command which might end in error while the malicious bugger has a spree... Did something change that escapes are no longer needed or did I miss the point many years back? Thanks again! Mitch ------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
