> Note that /usr/lib/sendmail (or /usr/sbin/sendmail; a number of
> pre-compiled Linux binaries seem to assume this) doesn't have to be
> "Sendmail". It just has to be a program which accepts an email on
> stdin and does the work involved in delivering it.
Indeed. Eg, /bin/mail
> It does, however, have to exist, otherwise a number of programs (e.g.
> mailx, crond) won't function correctly. Run "strings" on any program
> which sends notification messages by email; you'll probably find a
> reference to /usr/{lib,sbin}/sendmail in the output.
Not only it must exist, but, in our case, it must be executable by HTTP
server.
> [1] Delimit each argument with single quotes, and replace any
> embedded single quotes with quote-backslash-quote-quote.
This is, definitely, a way that guarantees special shell characters to
come unprocessed, but implementing it turns a CGI module (normally a tiny
fire-and-forget gadget) into a very complex tool that does dynamic memory
allocations and thus requires very careful signal handling and other stuff.
> But it is simple. And reliable; all text within single quotes is
> guaranteed to be left untouched by /bin/sh.
Yes. But why? Shell won't see it if it's just piped to /usr/sbin/sendmail.
--
ÌĤ¯Ç¤ÏÁͤòÊá¤é¤Ì
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 20:25:49 PDT