On Sat, Sep 09, 2006 at 09:50:16AM -0400, Woodchuck wrote: > > FILE *mail; > > char sendmail[512]; > > sprintf(sendmail, "%s %s", SENDMAIL_PATH, RECIPIENT); > > use snprintf here, this is exactly the sort of code that some joker > will try to do a buffer overflow on.
Assuming RECPIENT is actually something that will be user controllable, doesn't he need to worry about quoting RECIPIENT and making sure it doesn't start with a dash? Does OpenBSD have a popen(3) replacement but with an exec(3)-like interface instead of a system(3)-like one?
