nmh-workers
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Nmh-workers] I need help reading the mhstore man page

2014-03-01 10:48:40
from [David Levine] [Permanent Link][Original] 
Ken wrote:


If arbitrary means "what the user put into their profile",
yes, but we can't prevent that.  Is there a way to get
mhstore to execute arbitrary code provided by the message?


It does occur to me that there might be security concerns with using
%a with '|', depending on shell quoting, etc etc (%a inserts all of
the Content-Type parameters).  I don't know how common that is.


Again, that's an issue with '|', not -auto.  I'll remove the
recommendation in the man page not to use -auto, and add one
to not use %a with '|'.  That seems like an odd combination,
though maybe it'd be useful for things like responding to
calendar requests.  Though I wouldn't do that from mhstore.

David

_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Nmh-workers] I need help reading the mhstore man page, Ken Hornstein
Next by Date:  Re: [Nmh-workers] Suggested new switches for sortm: -recon and --norecon, Ken Hornstein
Previous by Thread:  Re: [Nmh-workers] I need help reading the mhstore man page, Ken Hornstein
Next by Thread:  [Nmh-workers] pick -list Printing 0 is Flawed Design, not a Bug., Ralph Corderoy
Indexes:  [Date] [Thread] [Top] [All Lists]