Bug#809318: bts: overrides user-specified value of sendmail

Daniel Shahaf danielsh at apache.org
Wed Dec 30 10:19:36 UTC 2015


James McCoy wrote on Tue, Dec 29, 2015 at 08:39:31 -0500:
> On Tue, Dec 29, 2015 at 10:15:15AM +0000, Daniel Shahaf wrote:
> > bts(1) sent an email without my permission:
> > ..
> >     % bts --sendmail='() { cat $1 > /dev/tty }' reopen 999999 
> >     --sendmail command contained funny characters: ()
> >     Reverting to default value /usr/sbin/sendmail
> >     %
> > ..
> > 
> > I expected it to invoke «system('() { cat $1 > /dev/tty } /path/to/file')»¹,
> > which would have printed the email to /dev/tty without sending it.
> 
> FWIW, the -n option could be useful here. ☺

Good to know.

> > Also, the patch doesn't cause system() to be invoked on the argument
> > value; the value is split on spaces and fed to exec(), which fails with
> > «Can't exec "()": No such file or directory at scripts/bts.pl line 2651.».
> 
> Hmm, we should probably be using Text::ParseWords' shellwords function
> instead.

That would add support for whitespace and quoting.  However, to make my
original example work, the shell would have to be invoked, e.g., via
.
    exec $ENV{SHELL}, '-c', $sendmailcmd
.
, since the '() { ... }' construct which I used is an artifact of my
$SHELL's command syntax, rather than an execve()-able external command.

I'm not sure which is preferable: shellwords(), '/bin/sh -c $arg', or
'$SHELL -c $arg'.

Cheers,

Daniel



More information about the devscripts-devel mailing list