On Tue, Sep 28, 2021 at 08:16:48AM -0400, Joey Hess wrote: > As recently seen in fail2ban's security hole (CVE-2021-32749), > piping user controlled input to mail is exploitable, > since a line starting with "~! foo" in the input will run command foo. > > This example on the man page pipes to mail. It may not be exploitable. > git rev-list --pretty indents commit messages, which prevents the escape > sequence working there. It's less clear if it might be possible to embed > the escape sequence in a signed push certificate. The user reading the > man page might alter the example to do something more exploitable. > To encourage safe use of mail, add -E 'set escape' Seems like a good goal, but is "-E" portable? On my system, where "mail" comes from the bsd-mailx package, "-E" means "do not send a message with an empty body" and your example command barfs as it tries to deliver to the recipient "set escape". At least we'd want to make a note in the documentation saying what the mysterious "set escape" is doing, and that not all versions of mail would need / want it. -Peff
