7 messages in net.sourceforge.lists.courier-maildropRe: [maildropl] Preserve original sen...
FromSent OnAttachments
Ralf HildebrandtFeb 8, 2005 6:15 am 
Ralf HildebrandtFeb 8, 2005 6:20 am 
Sam VarshavchikFeb 8, 2005 4:03 pm 
Ralf HildebrandtFeb 9, 2005 12:13 am 
Milan ObuchFeb 9, 2005 12:28 am 
Sam VarshavchikFeb 9, 2005 4:11 am 
Ralf HildebrandtFeb 9, 2005 4:15 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [maildropl] Preserve original sender wehn using cc !addr@ess ?Actions...
From:Sam Varshavchik (mrs@courier-mta.com)
Date:Feb 9, 2005 4:11:41 am
List:net.sourceforge.lists.courier-maildrop

Milan Obuch writes:

On Wednesday 09 February 2005 01:01, Sam Varshavchik wrote:

Ralf Hildebrandt writes:

* Ralf Hildebrandt <Ralf@charite.de>:

How can I preserve the original sender when using cc?

Found it myself: cc "|$SENDMAIL -f $FROM -i $RECIPIENTS"

Excellent!

Now, by crafting a specially-selected envelope return address, I can easily hack your machine.

MAIL FROM:<`rm -rf /usr/lib/courier`@yahoo.com> RCPT TO:<Ralf@charite.de>

Bonus question: try the above sequence of commands, and see what happens.

Is backtick allowed in mailbox part of addresss? I am looking at rfc2821, and I am just not sure. Using any user or remotely supplied variable without checking is dangerous. How could this be properly checked for?

The proper way to do this is to use quoting properly. In this case, it's:

cc '|$SENDMAIL -f "$FROM" -i "$RECIPIENTS"'

Maildrop does not do variable substitution inside apostrophes, so this string, verbatim, is passed to the shell to execute, with all maildrop variables as the environment for the shell command.

The shell will handle the variable expansion.