Todd Lyons writes:
Here is a snippet of code that I'm working on in my maildroprc:
/^Subject: !.*/
log "Match: $MATCH2"
SUBJECT=$MATCH2
SUBJECT=escape($SUBJECT)
log "Subject: $SUBJECT"
`test -f $HOME/vacation.subject`
if ( $RETURNCODE == 0 )
{
SUBJECTHEADER=`/bin/head -n 1 $HOME/vacation.subject`
SUBJECTHEADER=escape($SUBJECTHEADER)
}
else
{
SUBJECTHEADER="Auto-Reply"
}
xfilter "reformail -r -t -I 'From: ${LOGNAME}' -I 'X-Loop: Vacation for
${LOGNAME}' -I 'Reply-To: $LOGNAME' -I 'Auto-Submitted: auto-replied' -I
'Precedence: junk' -I 'Subject: ${SUBJECTHEADER}: ${SUBJECT}'"
I am seeing that any subject with a single quote causes problems. It
Yeah, and if someone sends you mail with backticks in the subject, they'll
probably be able to stuff a valid shell command that will be happily
executed on your box.
Messing around with things of this nature should only be done by those who
are fully briefed and are completely up to speed in the area of information
security.
basically closes the single quote of the Subject header that it's
inserting. For example, with the subject line:
We've received: War of the Worlds
the above command expands to:
xfilter "reformail -r -t ...
... -I 'Subject: Auto-Reply: We've received: War of the Worlds'"
Do you see the single quote that's screwing it up? The escape()
function doesn't seem to do it.
It does, but your command line is probably being double-interpreted, once by
maildrop, the second time by the shell. I haven't looked at what you're
doing too closely, but the general advice here is to NEVER extract bits and
pieces of any E-mail message, and try to feed it as a command line argument.
That's just looking for trouble.
You need to find some other way to do what you're trying to do.
3 messages in net.sourceforge.lists.courier-maildropRe: [maildropl] Escaping single quote...
