[sork] Alias security?

Eric Rostetter eric.rostetter at physics.utexas.edu
Fri Apr 25 01:24:49 PDT 2003


Quoting John Dalbec <jpdalbec at ysu.edu>:

> Since the alias address gets passed to /usr/local/bin/vacation as an
> argument, would it be wise to run it through escapeShellArg?

Technically, I guess so.  We run it through 

Mail_RFC822::parseAddressList()

which should make sure it is a valid rfc822 address.  In most simple cases
this is enough.  However, in the case of complex addresses, it may include
some strange characters such as <>[] and possibly : and ; which could 
be problematic...

By that same logic, wouldn't we want to do it on the actual email address
also so that vacation is sure to pick it up correctly?

Any one else want to comment?  Sounds like doing this might be a good
thing, and I don't think it would break anything...  I'd want to test
it first of course...

> Thanks,
> John Dalbec

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the sork mailing list