|Main Archive Page > Month Archives > postfix-users archives|
I have a question about OS command injection attack in forwarding
e-mail to command.
Postfix alias database allows the following configuration. It forwards
to e-mail to the specified command:
I think Postfix executes the following command (my guessing...):
echo $e_mail | /path/to/command
But e-mail is a kind of user inputted value. So I'm worried that
Postfix might execute commands in a content of e-mail.
Of course I believe Postfix doesn't execute command by user inputted
value. But I couldn't find any evidences...
-- Kousuke Ebihara