Am 11.12.2013 14:37, schrieb Marcin Szymonik: >> The real fix is not to process the above commands with the shell. > > Thanks for these tips too. > > I decided to popen() directly to sendmail without saving a message to tmp > file. > Unfortunately I don't see any php function allowing to popen without > executing a command with the shell. > What do you think would be the best solution? > Switch to another scripting language?
the scripting language does not matter, the dangerous call of shell commands with unknown remote input is the problem see here why http://www.securityfocus.com/archive/1/526591 don't do such things on a server talk with network services and not with shells and pipes > Switch to "advanced content filter" like described at > http://www.postfix.org/FILTER_README.html? switch to a "advanced content filter"
