Ken wrote:
If arbitrary means "what the user put into their profile",
yes, but we can't prevent that. Is there a way to get
mhstore to execute arbitrary code provided by the message?
It does occur to me that there might be security concerns with using
%a with '|', depending on shell quoting, etc etc (%a inserts all of
the Content-Type parameters). I don't know how common that is.
Again, that's an issue with '|', not -auto. I'll remove the
recommendation in the man page not to use -auto, and add one
to not use %a with '|'. That seems like an odd combination,
though maybe it'd be useful for things like responding to
calendar requests. Though I wouldn't do that from mhstore.
David
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers