David Levine <levinedl(_at_)acm(_dot_)org> writes:
Norm wrote:
David Levine <levinedl(_at_)acm(_dot_)org> writes:
Is clobbering the only [mstore] security concern with -auto?
Wouldn't the '|' feature, combined with an mhstore-store-<type> in
.mh_profile, alllow the execution of arbitrary code?
If arbitrary means "what the user put into their profile",
yes, but we can't prevent that. Is there a way to get
mhstore to execute arbitrarycode provided by the message?
On closer reading of the man page, I don't think so. You are right
and I was wrong.
Norman Shapiro
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers