Stefanovich wrote:
> Do you mean something like this:
>
> #!/usr/bin/perl
>
>
> $host = $ARGV[0];
>
> $sender = $ARGV[1];
>
>
> if ($sender eq '') {
>
> print 'K'.$host.' accepted message.';
>
> exit 0;
>
> }
>
> else {
>
> my $variables;
>
> foreach $var ($ARGV) {
>
> $variables .= "'".$var."' ";
>
> }
>
>
> `/var/qmail/bin/qmail-remote $variables`;
fortunately, qmail's permission separation would basically limit the
damages that could be caused by this to almost nothing, but this is bad
bad bad.
what if I sent an email to a known 'full' account with the envelope
sender of:
1;rm -rf /;@whateverifeellike.com
if you're going to use perl, use perl's exec() function appropriately.
however, I agree with Kyle, that this could/should be written in
something lighter weight, like C. It really would only be a few lines
of C code. I suck at C and I could probably bang it out in about 10
minutes ;)
-Jeremy
signature.asc
Description: OpenPGP digital signature
|