From: Andy Thompson (athompsonmooreheadcomm.com)
Date: Mon Aug 02 2004 - 14:45:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>What about:
>>>
>>> By default, this is not allowed, to avoid accidents with software
>>> that passes email addresses via the command line. Such software
>>> would not be able to distinguish a malicious address from a
>>> bona fide command-line option.
>>>
>>>I know that you can prevent this from happening by putting a "--"
>>>option into the command line, but I would not bet my life on it
>>>that everyone would follow such advice.
>>
>>That makes sense.
>
>
> I have updated the text.
>
>
>>So in your opinion, on a system such as mine with no local users, web
>>scripts, et al where I have complete control over what is run on the
>>box, is this a pretty low risk option to enable?
>
>
> Consider the following: does your machine communicate (email) with
> other systems? How will those systems respond to addresses beginning
> with a '-' character? Maybe it triggers a bug, and maybe it hits
> a defensive Postfix box.

Obviously unknowns and out of my control. But I can control my system
and if I can reasonably say that the chances are pretty slim that my
system would send email in this way then it seems like it's not such a
big deal.

AFAICT though, - is a valid char in an email address, even leading -
signs are valid, correct?

-andy

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]