[Users] That won't work.
Michal Suchánek
msuchanek at suse.de
Mon Oct 12 15:31:48 CEST 2020
On Mon, Oct 12, 2020 at 12:47:43PM -0000, Paul wrote:
> On Mon, 12 Oct 2020 13:20:18 +0200
> Michal Suchánek <msuchanek at suse.de> wrote:
>
> > I don't see how you could use the tamplate sanely, though.
> >
> > If you allow passing the header as an argument and the argument is
> > interpreted by the shell the user could quote it - if the header did not
> > include quoting characters as well.
>
> What I suggested was using %to, no shell involved.
Which was pointed out as insufficient in case of multiple recipients,
and it was pointed out that claws allows a template like
|p{tool.pl '%to'}
which is bogus. The %to should not ever be passed to a shell or properly
sanitized.
Thanks
Michal
More information about the Users
mailing list