The following issue has been set as RELATED TO issue 0000325. ====================================================================== http://www.dbmail.org/mantis/view.php?id=323 ====================================================================== Reported By: michael Assigned To: ====================================================================== Project: DBMail Issue ID: 323 Category: PIPE delivery (dbmail-smtp) Reproducibility: always Severity: major Priority: normal Status: new ====================================================================== Date Submitted: 11-Apr-06 18:26 CEST Last Modified: 17-Apr-06 21:43 CEST ====================================================================== Summary: pipe to sendmail is opened incorrect Description: popen spawns a shell, the shell when gets <emailaddress>, treats it as some kind of I/O redirect. -f param should be enclosed with '. Also, it is non secure, because shell can extract variables...
Also, need to check if there are other popens in the code ====================================================================== Relationships ID Summary ---------------------------------------------------------------------- related to 0000325 Broken pipe delivery for off-site addre... ====================================================================== ---------------------------------------------------------------------- michael - 11-Apr-06 18:41 ---------------------------------------------------------------------- The thing I did is ugly, and does not work. If the From: is like: "me '$SOME_ENV_VAR, or `passwd root`' <[EMAIL PROTECTED] it will be passed to shel as it is ---------------------------------------------------------------------- aaron - 11-Apr-06 19:23 ---------------------------------------------------------------------- Last month I rewrote pipe.c to have a single function "send_mail" that handles opening the pipe to sendmail, escaping the arguments, and doing the right things. It's currently static to pipe.c -- I'll work on forward.c to use this function, too, though. I'll have time to hack on it on Thursday. Issue History Date Modified Username Field Change ====================================================================== 11-Apr-06 18:26 michael New Issue 11-Apr-06 18:26 michael File Added: forward.c.popen.patch 11-Apr-06 18:41 michael Note Added: 0001080 11-Apr-06 19:23 aaron Note Added: 0001081 17-Apr-06 21:43 aaron Relationship added related to 0000325 ======================================================================
