[email protected]
[Top] [All Lists]

Bug#278748: marked as forwarded (mailx: unquoted recipient's name causes

Subject: Bug#278748: marked as forwarded mailx: unquoted recipient's name causes sending to fail
From: Debian Bug Tracking System
Date: Sat, 30 Oct 2004 04:33:13 -0700
Your message dated Sat, 30 Oct 2004 13:21:28 +0200
with message-id <[email protected]>
has caused the Debian Bug report #278748,
regarding mailx: unquoted recipient's name causes sending to fail
to be marked as having been forwarded to the upstream software
author(s) [email protected], [email protected]

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at 278748-forwarded) by bugs.debian.org; 30 Oct 2004 11:21:32 +0000
>From [email protected] Sat Oct 30 04:21:32 2004
Return-path: <[email protected]>
Received: from (proxy.sawan.com.pl) [] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CNrIa-0007RO-00; Sat, 30 Oct 2004 04:21:32 -0700
Received: from proxy.sawan.com.pl (localhost [])
        by proxy.sawan.com.pl (8.12.11/8.12.9) with ESMTP id i9UBLSl8025708;
        Sat, 30 Oct 2004 13:21:28 +0200 (CEST)
        (envelope-from [email protected])
Received: (from [email protected])
        by proxy.sawan.com.pl (8.12.11/8.12.9/Submit) id i9UBLSM1025707;
        Sat, 30 Oct 2004 13:21:28 +0200 (CEST)
        (envelope-from luberda)
Date: Sat, 30 Oct 2004 13:21:28 +0200
From: Robert Luberda <[email protected]>
To: [email protected], [email protected]
Cc: [email protected]
Subject: Bug#278748: mailx: unquoted recipient's name causes sending to fail
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-RAVMilter-Version: 8.4.3(snapshot 20030217) (proxy.sawan.com.pl)
Delivered-To: [email protected]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2004_03_25


I'm the maintainer of Debian mailx package, which is based on OpenBSD 
version. Lately I got a bug report, whose submitter says:

  The MIME standards require mail headers be encoded unless they're
  in the US-ASCII charset, which notably results in the recipient's
  address having symbols such as '?' and '/'. For example, the following
  is a MIME-compliant header:

  > To: =?EUC-KR?B?sei8vL/4?= <[email protected]>
  However, this version of mailx chokes on such an input, because it
  supplies the address to "/bin/sh -c echo %s" without any quoting,
  causing a shell pattern matching failure with names that have '/' and
  '?' above.
  > bash$ /usr/bin/mail '=?EUC-KR?B?sei8vL/4?= <[email protected]>'
  > Subject: blah blah
  > blah blah
  > Cc:
  > /bin/bash: -c: line 1: syntax error near unexpected token `newline'
  > /bin/bash: -c: line 1: `echo =?EUC-KR?B?sei8vL/4?=
  > <[email protected]>'
  > "=?EUC-KR?B?sei8vL/4?= <[email protected]>": No match.
  > mail: (null): Bad address

After checking the source code, I found that this bug is caused by 
expansion of  wildcards and environment variables when mailx tries to
handle special file recipients. 

I agree with the bug submitter, this is a potential security hole,
but I have no idea how to solve it not breaking anything.
Maybe changing isfileaddr function to ignore names with ` or $(
substrings will solve the problem, but I'm not sure if this is
sufficient. Of course the best solution is not to call echo ,
but do wildcards and enviroment internally.

Please see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748
for the full report.

Best regards,


To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

<Prev in Thread] Current Thread [Next in Thread>
  • Bug#278748: marked as forwarded (mailx: unquoted recipient's name causes sending to fail), Debian Bug Tracking System <=