On 1/24/07, Robert K. [email protected] wrote:
As always with input parameters: verify them. Make sure those variables
contain what you expect / want to allow them to.
Robert is correct - you would be surprised how much stuff is legal in
an RFC2822-compliant e-mail address. I just successfully sent mail to
these 100% valid addresses:
(rm -rf )[email protected]
"; rm -rf /tmp/path/ ;"@example.com
(replacing example.com with a domain that I own). No quotes are
required on that first example: pipe and forward slash aren’t even
specials in RFC2822. Nor is ampersand. Nor backtick. And parens are
used for comments in addresses. And quoted bits are allowed in local
parts, so you can shoehorn in semicolons.
If you’re going to use exec, you need to process those address bits
separately to find the SUBSET of RFC2822 addresses that your process
is willing to accept. Because with enough quoting and escaping, I can
send almost anything as the sender of an e-mail message.
Unless you have a strong use case otherwise, I suggest allowing only
…former e-mail server admin