Pawe? Grzesik:
> Good point. I changed it to:
>
> IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
>
> So now it should be secure (same as using $@ instead of $*).
> Am I right? or I'm still missing something?
Sorry, that is still a shell command line. You need an API that
passes a vector of arguments, not a command line.
Such as Python's
os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").
This bug is actually very old. An early publication is at
https://www.cert.org/historical/advisories/CA-1996-06.cfm
Wietse
