[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] I need help reading the mhstore man page
From: |
David Levine |
Subject: |
Re: [Nmh-workers] I need help reading the mhstore man page |
Date: |
Sat, 01 Mar 2014 09:26:25 -0500 |
Norm wrote:
> David Levine <address@hidden> writes:
> > Is clobbering the only [mstore] security concern with -auto?
>
> Wouldn't the '|' feature, combined with an mhstore-store-<type> in
> .mh_profile, alllow the execution of arbitrary code?
If arbitrary means "what the user put into their profile",
yes, but we can't prevent that. Is there a way to get
mhstore to execute arbitrary code provided by the message?
Also, '|' isn't affected by -auto: it is enabled even with -noauto.
David