On Mon, 14 Jul 2003, Frode Lillerud wrote:
#### .procmail ####
MESSAGE = `formail -f`
As Sean has already mentioned, it seems odd that you want to put the
entire message into an environment variable and then pass it as a command
line parameter. For even a moderately large message, there are all sorts
of process limits that you could run into; because MESSAGE is an
environment variable, it's already being passed into the perl script via
$ENV{MESSAGE}, and then you repeat it a second time as $ARGV.
:0fhw: spamwizard.lock
| formail -t -X ""; /www/lillerud.no/spamwizard.pl $MESSAGE; echo
The problem that's causing the symptom you reported, however, is that you
should almost always put double quotes around variable references:
| formail -X ""; /www/lillerud.no/spamwizard.pl "$MESSAGE"; echo
Otherwise, as Sean indirectly pointed out, any filename wildcards that
appear in the value of the variable are subject to expansion by the shell;
and worse, command separators and control structures are also interpreted.
So you're effectively allowing anyone to mail a shell programs to you and
have them executed -- and executed as root, if the fact that files in
/root are being expanded is any indication.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail