[Savannah-dev] [Bug #12] support e-mails eat backquoted text

[noreply]

Bug #12, was updated on 2002-Apr-20 11:56
Here is a current snapshot of the bug.

Project: savannah
Category:  Mail
Severity:  7
Priority:  High
Bug Group:  None
Resolution:  Fixed
Assigned to:  ljulliar
Status:  Closed
Effort:  0.50
Summary:  support e-mails eat backquoted text

Original Submission:  The e-mails sent by the support system remove all text
contained between backquotes (i.e., ascii character
0x60).  For example, see support request #100533[1],
and the e-mail that was sent to savannah-hackers[2].

1.
http://savannah.gnu.org/support/?func=detailsupport&support_id=100533&group_i
d=11
2.
http://mail.gnu.org/pipermail/savannah-hackers/2002-March/006446.html


http://savannah.gnu.org/support/?func=detailsupport&support_id=100534&group_id=11

Follow-Ups:
**********

-------------------------------------------------------
Date: 2002-Apr-20 22:49
By: ljulliar

Comment:
This was a bug in the utils.php function util_prep_string_for_sendmail where 
the backquote character was not escaped causing the shell to interpret the 
backquoted text as a command instead of passing it as normal text to sendmail. 
All services sending follwoup mails (bug, task, patch, support) were affected.

As you probably realize this was also a *major* security hole!!

`I include this text' to test that the `fix' is ok.

Impacted Files:
www/include/utils.php 1.10

For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=12&group_id=11