Norm wrote:
David Levine <levinedl(_at_)acm(_dot_)org> writes:
Is clobbering the only [mstore] security concern with -auto?
Wouldn't the '|' feature, combined with an mhstore-store-<type> in
.mh_profile, alllow the execution of arbitrary code?
If arbitrary means "what the user put into their profile",
yes, but we can't prevent that. Is there a way to get
mhstore to execute arbitrary code provided by the message?
Also, '|' isn't affected by -auto: it is enabled even with -noauto.
David
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers