mailing list archives
Re: mail Reply-To field exploit
From: Thomas Roessler <roessler () DOES-NOT-EXIST ORG>
Date: Mon, 6 Nov 2000 12:23:20 +0100
On 2000-11-05 21:56:17 +0000, gregory duchemin wrote:
Note: It's NOT A BUG in mail, sendmail or mail.local but a
weakness caused by a bindly rfc compliance. I didn't try elm,
mailx and others so feedback are welcomed
No, it's not a weakness caused by blind rfc compliance, but a
deliberate decision by those who wrote mailx.
You can - easily - write MUAs which don't fall for shell meta
characters in addresses. You just have to avoid using popen(3), and
generally avoid the shell when passing things to other programs.
Actually, mailx gets this partially right by using execvp to pass
arguments to sendmail.
However, please have a look at the following comment in front of the
outof() routine in mailx' names.c module, and at the code in that
217 * For each recipient in the passed name list with a /
218 * in the name, append the message to the end of the named file
219 * and remove him from the recipient list.
221 * Recipients whose name begins with | are piped through the given
222 * program and removed.
224 struct name *
225 outof(names, fo, hp)
226 struct name *names;
227 FILE *fo;
228 struct header *hp;
(YMMV with respect to line numbers; I'm currently looking at
Debian's version of mailx-8.1.1.)
Thomas Roessler <roessler () does-not-exist org>