Norm wrote: > David Levine <levin...@acm.org> writes: > > Is clobbering the only [mstore] security concern with -auto? > > Wouldn't the '|' feature, combined with an mhstore-store-<type> in > .mh_profile, alllow the execution of arbitrary code?
If arbitrary means "what the user put into their profile", yes, but we can't prevent that. Is there a way to get mhstore to execute arbitrary code provided by the message? Also, '|' isn't affected by -auto: it is enabled even with -noauto. David _______________________________________________ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
