[Users] That won't work.
claws at dragony.name
claws at dragony.name
Sun Oct 11 15:21:49 CEST 2020
OK lets calm down. Disarmed repost.
>If you used %to in the template like I said
...which is not working for To: fields with multiple addresses, as I have stated before.
>, and someone knew this "little
>hack" as you call it, what would happen is that the From field would contain:
>
>bad at hacker.com'; rm -rf /* ;'
>
>That rm -rf /* would not be executed.
Correct, but this solution is not working, as stated above and before.
I said the following (which you deleted in your quotation):
"Fortunately there are many placeholders available, and a wonder-placeholder I have found is |p{tool.pl '%to'}. It executes tool.pl, which can do basically everything, even connect to a mysql database to find out what to correctly output so claws puts the correct sender into the field.
BUT DON'T USE IT!..."
To make it clear I write it down again: Your solution is not working with multiple addresses in the To-field. My solution IS working in that case, but has the stated security problems because claw seems to execute the shell script with the parameters "the easy way".
- Dragony
More information about the Users
mailing list