Bug#809318: bts: overrides user-specified value of sendmail
Daniel Shahaf
danielsh at apache.org
Wed Dec 30 10:19:36 UTC 2015
James McCoy wrote on Tue, Dec 29, 2015 at 08:39:31 -0500:
> On Tue, Dec 29, 2015 at 10:15:15AM +0000, Daniel Shahaf wrote:
> > bts(1) sent an email without my permission:
> > ..
> > % bts --sendmail='() { cat $1 > /dev/tty }' reopen 999999
> > --sendmail command contained funny characters: ()
> > Reverting to default value /usr/sbin/sendmail
> > %
> > ..
> >
> > I expected it to invoke «system('() { cat $1 > /dev/tty } /path/to/file')»¹,
> > which would have printed the email to /dev/tty without sending it.
>
> FWIW, the -n option could be useful here. ☺
Good to know.
> > Also, the patch doesn't cause system() to be invoked on the argument
> > value; the value is split on spaces and fed to exec(), which fails with
> > «Can't exec "()": No such file or directory at scripts/bts.pl line 2651.».
>
> Hmm, we should probably be using Text::ParseWords' shellwords function
> instead.
That would add support for whitespace and quoting. However, to make my
original example work, the shell would have to be invoked, e.g., via
.
exec $ENV{SHELL}, '-c', $sendmailcmd
.
, since the '() { ... }' construct which I used is an artifact of my
$SHELL's command syntax, rather than an execve()-able external command.
I'm not sure which is preferable: shellwords(), '/bin/sh -c $arg', or
'$SHELL -c $arg'.
Cheers,
Daniel
More information about the devscripts-devel
mailing list