Re: mail Reply-To field exploit

[Thomas Roessler <roessler () DOES-NOT-EXIST ORG>]

On 2000-11-05 21:56:17 +0000, gregory duchemin wrote:

> Note: It's NOT A BUG in mail, sendmail or mail.local but a
> weakness caused by a bindly rfc compliance. I didn't try elm,
> mailx and others so feedback are welcomed

No, it's not a weakness caused by blind rfc compliance, but a
deliberate decision by those who wrote mailx.

You can - easily - write MUAs which don't fall for shell meta
characters in addresses. You just have to avoid using popen(3), and
generally avoid the shell when passing things to other programs.

Actually, mailx gets this partially right by using execvp to pass
arguments to sendmail.

However, please have a look at the following comment in front of the
outof() routine in mailx' names.c module, and at the code in that
routine:

   216  /*
   217   * For each recipient in the passed name list with a /
   218   * in the name, append the message to the end of the named file
   219   * and remove him from the recipient list.
   220   *
   221   * Recipients whose name begins with | are piped through the given
   222   * program and removed.
   223   */
   224  struct name *
   225  outof(names, fo, hp)
   226          struct name *names;
   227          FILE *fo;
   228          struct header *hp;

(YMMV with respect to line numbers; I'm currently looking at
Debian's version of mailx-8.1.1.)

--
Thomas Roessler                         <roessler () does-not-exist org>