Re: [Nmh-workers] I need help reading the mhstore man page

nmh-workers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] I need help reading the mhstore man page

From:	David Levine
Subject:	Re: [Nmh-workers] I need help reading the mhstore man page
Date:	Sat, 01 Mar 2014 11:48:06 -0500

Ken wrote:

> >If arbitrary means "what the user put into their profile",
> >yes, but we can't prevent that.  Is there a way to get
> >mhstore to execute arbitrary code provided by the message?
> 
> It does occur to me that there might be security concerns with using
> %a with '|', depending on shell quoting, etc etc (%a inserts all of
> the Content-Type parameters).  I don't know how common that is.

Again, that's an issue with '|', not -auto.  I'll remove the
recommendation in the man page not to use -auto, and add one
to not use %a with '|'.  That seems like an odd combination,
though maybe it'd be useful for things like responding to
calendar requests.  Though I wouldn't do that from mhstore.

David

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Nmh-workers] I need help reading the mhstore man page, norm, 2014/03/01
- Re: [Nmh-workers] I need help reading the mhstore man page, David Levine, 2014/03/01
  - Re: [Nmh-workers] I need help reading the mhstore man page, norm, 2014/03/01
  - Re: [Nmh-workers] I need help reading the mhstore man page, Ken Hornstein, 2014/03/01
- Re: [Nmh-workers] I need help reading the mhstore man page, David Levine <=

Prev by Date: Re: [Nmh-workers] I need help reading the mhstore man page
Next by Date: Re: [Nmh-workers] Suggested new switches for sortm: -recon and --norecon
Previous by thread: Re: [Nmh-workers] I need help reading the mhstore man page
Next by thread: [Nmh-workers] pick -list Printing 0 is Flawed Design, not a Bug.
Index(es):
- Date
- Thread