-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sam Varshavchik wanted us to know:
I am seeing that any subject with a single quote causes problems. It
Yeah, and if someone sends you mail with backticks in the subject, they'll
probably be able to stuff a valid shell command that will be happily
executed on your box.
Yeah, very good point.
by maildrop, the second time by the shell. I haven't looked at what you're
doing too closely, but the general advice here is to NEVER extract bits and
pieces of any E-mail message, and try to feed it as a command line argument.
That's just looking for trouble.
You need to find some other way to do what you're trying to do.
In this case, I was simply trying to give the end user the ability to
prepend a quick message such as "Auto-Reply" or "Vacation Reply" to the
existing subject (similar to inserting a "Re" in replies), but I can see
this is tricky without being able to do commandline escaping. So The
answer is either
a) leave it untouched (no need to pass it to the xfilter)
or
b) replace it completely with a standard string (where our sanitation
routines control what it is initially set to).
Thanks for the whap with the clue bat.
- --
Regards... Todd
I've visited conferences where the wireless LAN was deemed "secure" by
the organisation because they had outlawed sniffers. --Neils Bakker
Linux kernel 2.6.12-12mdksmp 3 users, load average: 0.06, 0.04, 0.06
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDjh4mY2VBGxIDMLwRAkztAJ9beUXiVw3Ws+bzKCiJ3Gll32PX/ACfbOne
X9y/vYWEvcGm/gYuk97cP8E=
=D6Wr
-----END PGP SIGNATURE-----
3 messages in net.sourceforge.lists.courier-maildropRe: [maildropl] Escaping single quote...
