Oliver Block:
> Hello everyone,
>
> these days you can read dozens of articles that implitely claim that
> the following code will produce more than one mail message at a time
> if used by a malicous user.
>
> I doubt that it is true, but I'd like to ask here, because you know
> your mta better than I. The c code to access postdrop/sendmail is the
> following:
>
> ...
>
> errno = 0;
> sendmail = popen(sendmail_cmd, "w");
>
> if (sendmail) {
>
> ...
>
> fprintf(sendmail, "To: %s\n", to);
> fprintf(sendmail, "Subject: %s\n", subject);
If the to or subject are taken from an untrusted user, they may
contain contain newlines, MIME headers, a new body, and other MIME
headers that prevent your real message from being displayed.
> if (hdr != NULL) {
> fprintf(sendmail, "%s\n", hdr);
>
> }
If the hdrs are taken from an untrusted user, but I repeat myself.
Wietse
