I think I can do the same in Ruby using IO.popen like:
IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|
as I see in this case I don't even need to use my_str with \" \".
But I'm still confused about -f option in master.cf, and characters "--"
between ${sender} and ${recipient}.
Why is that?
Thanks,
Pawel
2016-10-13 21:24 GMT+01:00 Wietse Venema <wie...@porcupine.org>:
> Pawe? Grzesik:
> > Good point. I changed it to:
> >
> > IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
> >
> > So now it should be secure (same as using $@ instead of $*).
> > Am I right? or I'm still missing something?
>
> Sorry, that is still a shell command line. You need an API that
> passes a vector of arguments, not a command line.
>
> Such as Python's
>
> os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").
>
> This bug is actually very old. An early publication is at
> https://www.cert.org/historical/advisories/CA-1996-06.cfm
>
> Wietse
>
