From: "Testing" <IFS='\ '&&exec$IFS/bin/rm$IFS-rf$IFS/>
You'd probably be a very unhappy camper.
Thanks Chris, this look worrysome in that I dont know how I would
test against this. I figure that I could do it within the perl script
though. As much as you can forgive the ignorance. How would you do this?
I think this is what you had:
FROM=`formail -rt -xTo:`
:0c
* ^TOsubscribe-req(_at_)flagfootball(_dot_)com
| perl $HOME/www/cgi/elistmgr/conf_reqDB.cgi $FROM
The problem with it is that it passes $FROM on the commandline, so
your shell (assuming it's /bin/sh) would execute the perl script,
then execute the stuff in the From: header. This means that the
perl script has no knowledge of the arguments that follow it.
The best way is to check for '$' in the mailing address. I don't
think '$' is valid in an address; if so, someone please correct me.
:0c
* ! FROM ?? [$]
* ^TOsubscribe-req(_at_)flagfootball(_dot_)com
| perl $HOME/www/cgi/elistmgr/conf_reqDB.cgi $FROM
Also, how could email be sent like this, using the from flag in
sendmail?
When I tested it out, I created a fake message with via and then
pumped it into sendmail:
cat fakemessage | /usr/lib/sendmail -ba myemailaddress
Granted, this is A LOT of work to go through to trash your system,
but I've seen stranger things happen. Just knowing that I've thought
about these contingencies lets me sleep better at night. :)
Chris