[pbs-devel] [PATCH proxmox v3] fix #3302: allow for more characters for email
Dominik Csapak
d.csapak at proxmox.com
Wed May 12 16:20:16 CEST 2021
by removing the regex check here, that is responsibility of the caller
this is ok since we pass the args directly and not via shell, so
command injection should not be possible
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
tested command injection with emails like '--help' but this got sent
to '--help at myhostname' which got sent to 'root at myhostname'
proxmox/src/tools/email.rs | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/proxmox/src/tools/email.rs b/proxmox/src/tools/email.rs
index b5d42c4..0b92a5b 100644
--- a/proxmox/src/tools/email.rs
+++ b/proxmox/src/tools/email.rs
@@ -16,23 +16,10 @@ pub fn sendmail(
mailfrom: Option<&str>,
author: Option<&str>,
) -> Result<(), Error> {
- let mail_regex = regex::Regex::new(r"^[a-zA-Z\.0-9-]+@[a-zA-Z\.0-9-]+$").unwrap();
-
if mailto.is_empty() {
bail!("At least one recipient has to be specified!")
}
-
- for recipient in mailto {
- if !mail_regex.is_match(recipient) {
- bail!("'{}' is not a valid email address", recipient)
- }
- }
-
let mailfrom = mailfrom.unwrap_or("root");
- if !mailfrom.eq("root") && !mail_regex.is_match(mailfrom) {
- bail!("'{}' is not a valid email address", mailfrom)
- }
-
let recipients = mailto.join(",");
let author = author.unwrap_or("Proxmox Backup Server");
@@ -44,7 +31,7 @@ pub fn sendmail(
.arg("-f")
.arg(mailfrom)
.arg("--")
- .arg(&recipients)
+ .args(mailto)
.stdin(Stdio::piped())
.spawn()
{
--
2.20.1
More information about the pbs-devel
mailing list