Good point. I changed it to:
IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
So now it should be secure (same as using $@ instead of $*).
Am I right? or I'm still missing something?
Thanks,
Pawel
2016-10-13 11:50 GMT+01:00 Wietse Venema <wie...@porcupine.org>:
> Pawe? Grzesik:
> > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
>
> And there you have a giant security hole. What happens if an email
> address contains shell special characters? You specify flags=Rq in
> the pipe daemon command, but that quotes email addresses according
> to RFC822, not to make them resistant against shell command injection.
>
> (Note that the shell script example in FILTER_README does not
> have this issue becasue that does not re-parse its arguments).
>
> Wietse
>
