mailing list archives
Re: a few bugs ...
From: roessler () MUTT ORG (Thomas Roessler)
Date: Wed, 15 Mar 2000 09:07:14 +0100
On 2000-03-13 14:31:23 -0000, Maurycy Prodeus wrote:
Mail agent programs like: standard ;P 'mail' from
Berkeley Distribution or mutt, elm perhaps other :),
use sendmail arguments to put email adress where luser
wants to send mail. It's similar problem to crontab's
or lpd's bugs. Example: if you put line with Reply-To:
-X /dev/hda1 ;P or something like that :> to mail
message and luser ( in this case root ) stupid pushes
OK,OK,OK :) ( ofz he'd want to reply ) it may
write/destroy file ( /dev/hda1 :] ). I know it isn't
good example but I only wanted to show idea...
This does NOT work against mutt:
(1) We use execv to start sendmail from within mutt, so no
shell parsing is involved.
(2) We explicitly tell sendmail to stop option processing
(giving the "--" command line parameter) _before_ we
start throwing externally-supplied e-mail addresses at
Please make sure you verify your claims about security
problems _before_ publishing them in public.