On Fri, May 20, 2022 at 05:54:55PM +1000, raf <m...@raf.org> wrote: > I'm sending a patch that adds an error check for shell > meta-characters when $sendmail is used. It might have been > better to check right after reading .muttrc, but this seemed > like a more natural place to put the code (i.e., right after > the check that $sendmail exists).
I tried to send the patch to mutt-...@mutt.org a few times but never received it, so I'll send it here instead. cheers, raf > Subject: [PATCH] Add error when $sendmail has shell metachars --- sendlib.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sendlib.c b/sendlib.c index 430b5d73..05039714 100644 --- a/sendlib.c +++ b/sendlib.c @@ -2706,6 +2706,14 @@ mutt_invoke_sendmail (ADDRESS *from, /* the sender */ return -1; } + /* check for shell meta-characters that won't do what the user expects */ +#define SHELL_NON_SPACE_META_CHARACTERS "|&;()<>[]{}$`'~\"\\*?" + if (Sendmail[strcspn(Sendmail, SHELL_NON_SPACE_META_CHARACTERS)] != '\0') + { + mutt_error(_("$sendmail cannot contain shell meta-characters.")); + return -1; + } + ps = s; i = 0; while ((ps = strtok (ps, " "))) -- 2.30.2