The following issue has been RESOLVED. ====================================================================== http://dbmail.org/mantis/view.php?id=323 ====================================================================== Reported By: michael Assigned To: aaron ====================================================================== Project: DBMail Issue ID: 323 Category: PIPE delivery (dbmail-smtp) Reproducibility: always Severity: major Priority: normal Status: resolved Resolution: fixed Fixed in Version: ====================================================================== Date Submitted: 11-Apr-06 18:26 CEST Last Modified: 23-Apr-06 23:27 CEST ====================================================================== Summary: pipe to sendmail is opened incorrect Description: popen spawns a shell, the shell when gets <emailaddress>, treats it as some kind of I/O redirect. -f param should be enclosed with '. Also, it is non secure, because shell can extract variables...
Also, need to check if there are other popens in the code ====================================================================== Relationships ID Summary ---------------------------------------------------------------------- related to 0000325 Broken pipe delivery for off-site addre... ====================================================================== ---------------------------------------------------------------------- michael - 11-Apr-06 18:41 ---------------------------------------------------------------------- The thing I did is ugly, and does not work. If the From: is like: "me '$SOME_ENV_VAR, or `passwd root`' <[EMAIL PROTECTED] it will be passed to shel as it is ---------------------------------------------------------------------- aaron - 11-Apr-06 19:23 ---------------------------------------------------------------------- Last month I rewrote pipe.c to have a single function "send_mail" that handles opening the pipe to sendmail, escaping the arguments, and doing the right things. It's currently static to pipe.c -- I'll work on forward.c to use this function, too, though. I'll have time to hack on it on Thursday. ---------------------------------------------------------------------- aaron - 23-Apr-06 23:27 ---------------------------------------------------------------------- I changed what appears to be an off-by-one error. We need to write a testcase for forwards. Resolving the bug since the patch is in and no complaints have come back. Issue History Date Modified Username Field Change ====================================================================== 11-Apr-06 18:26 michael New Issue 11-Apr-06 18:26 michael File Added: forward.c.popen.patch 11-Apr-06 18:41 michael Note Added: 0001080 11-Apr-06 19:23 aaron Note Added: 0001081 17-Apr-06 21:43 aaron Relationship added related to 0000325 23-Apr-06 23:27 aaron Status new => resolved 23-Apr-06 23:27 aaron Resolution open => fixed 23-Apr-06 23:27 aaron Assigned To => aaron 23-Apr-06 23:27 aaron Note Added: 0001094 ======================================================================
