On Fri, 7 Mar 1997, Greg A. Woods wrote:
> The "use-a-shell" option would normally imply that a shell sill be used
> to parse the command line, thus you must always worry about
> meta-characters in this case. If exim had the 'shquote' variable
> expansion qualifier then ensuring the sanctity of values to be passed on
> a shell command line would be relativley easy.
This is true when the pipe command is specified by the administrator as
part of the configuration. There is a problem when considering pipe
commands set up by users in .forward files, because these are not
subject to string expansion.
Wait a minute. I think I am being stupid. If they are not subject to
string expansion, then they can't be messed up by the insertion of meta
characters, can they? So specifying a shell for conventional .forward
files doesn't have this problem.
Pipe commands specified as part of a filter file *are* expanded, and
these could indeed make use of a quoting operator. However, the users
would have to be educated to make use of it because it is something that
is easily overlooked.
Anyway, I have added to the Exim wish-list and option to use a shell for
the pipe director and reinforced the item that was already there about
providing a shell-quoting operator.
--
Philip Hazel University Computing Service,
ph10@??? New Museums Site, Cambridge CB2 3QG,
P.Hazel@??? England. Phone: +44 1223 334714