Good point. I changed it to: IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
So now it should be secure (same as using $@ instead of $*). Am I right? or I'm still missing something? Thanks, Pawel 2016-10-13 11:50 GMT+01:00 Wietse Venema <wie...@porcupine.org>: > Pawe? Grzesik: > > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe| > > And there you have a giant security hole. What happens if an email > address contains shell special characters? You specify flags=Rq in > the pipe daemon command, but that quotes email addresses according > to RFC822, not to make them resistant against shell command injection. > > (Note that the shell script example in FILTER_README does not > have this issue becasue that does not re-parse its arguments). > > Wietse >