> > Just wondering about the code snippet presented below. > > I may be wrong, but don't we have a recipe for disaster if > > someone were to put an email address of (for instance) ;rm -rf * > > or something to that effect? > > > > > sprintf(buf, "mail -s \"%s\" %s <MAILFILE.TXT &", subject, emailaddr); > > > > > You could always > > if (strchr(emailaddr, ';') != NULL) { ^^^^^^^^^^^^^ What happens if this would be a '&' instead? Bye bye files > > send_to_char("try again asshole"); > > } > Make some kind of generic function that will check the incoming string. Allow NO Unix shell-characters ; : & > < and you will be fine. // Zigg +-----------------------------------------------------------+ | Ensure that you have read the CircleMUD Mailing List FAQ: | | http://cspo.queensu.ca/~fletcher/Circle/list_faq.html | +-----------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/18/00 PST