[pbs-devel] applied: [PATCH proxmox v3] fix #3302: allow for more characters for email

Thomas Lamprecht t.lamprecht at proxmox.com
Wed May 12 21:20:04 CEST 2021


On 12.05.21 16:20, Dominik Csapak wrote:
> by removing the regex check here, that is responsibility of the caller
> 
> this is ok since we pass the args directly and not via shell, so
> command injection should not be possible

yeah, if nothing is there to interpret injected commands then it really isn't
possible, besides naturally some security issue in sendmail command parser or
the like, but there's no future proofing against that.. ;-)

> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> tested command injection with emails like '--help' but this got sent
> to '--help at myhostname' which got sent to 'root at myhostname'
> 
>  proxmox/src/tools/email.rs | 15 +--------------
>  1 file changed, 1 insertion(+), 14 deletions(-)
> 
>

applied, thanks!





More information about the pbs-devel mailing list