On 2016-01-02 at 13:28:02, Tomi Ollila wrote: > On Fri, Jan 01 2016, J Farkas <jf.hyqohaczlksw4tx6ae@l2015aftruuq.dns007.net> wrote: > > Make sure we store the envelope sender/recipient if provided by > > qmail-command(8) in $RPLINE and $DTLINE. > > --- > > Probably good feature, but like > http://www.qmail.org/man/man8/qmail-command.html > says: > > qmail-local supplies several useful environment variables to > command. WARNING: These environment variables are not > quoted. They may contain special characters. They are > under the control of a possibly malicious remote user. > > Should we check that the contents of RPLINE and DTLINE are well-formed > before writing these to the mail files ? Thank you for reviewing and being so careful! That warning is not applicable for the *LINE variables which are supposed to end up in the message without further munging (they even have the LF appended already). The extra carefulness is only relevant for anyone trying to *parse* those strings, like $EXT via unsafe languages, when EXT becomes the part following the dash after the username (considering bgates-(){:;};shutdown@example.org for example) It still should be what the envelope sender was, and what was considered valid at the time. I actually checked if there's any relevance for this warning: most maildir delivering program does it already in one form or the other; in fact, there is a command in the qmail distribution: http://www.qmail.org/man/man1/preline.html which does the exact same getenv and copy to the output. If you'd liek to confirm, there's one repo for what seems to be the original qmail source for this file shows even DJB does it the same way: https://github.com/c-rack/qmail/blob/master/preline.c I would think it's not worth the extra fork and pipe for this. I don't see how anyone could do without these headers saved, to be honest :) Janos