From: Wietse Venema (wietseporcupine.org)
Date: Mon Aug 02 2004 - 14:51:00 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andy Thompson:
> >>>What about:
> >>>
> >>> By default, this is not allowed, to avoid accidents with software
> >>> that passes email addresses via the command line. Such software
> >>> would not be able to distinguish a malicious address from a
> >>> bona fide command-line option.
> >>>
> >>>I know that you can prevent this from happening by putting a "--"
> >>>option into the command line, but I would not bet my life on it
> >>>that everyone would follow such advice.
> >>
> >>That makes sense.
> >
> >
> > I have updated the text.
> >
> >
> >>So in your opinion, on a system such as mine with no local users, web
> >>scripts, et al where I have complete control over what is run on the
> >>box, is this a pretty low risk option to enable?
> >
> >
> > Consider the following: does your machine communicate (email) with
> > other systems? How will those systems respond to addresses beginning
> > with a '-' character? Maybe it triggers a bug, and maybe it hits
> > a defensive Postfix box.
>
> Obviously unknowns and out of my control. But I can control my system
> and if I can reasonably say that the chances are pretty slim that my
> system would send email in this way then it seems like it's not such a
> big deal.
>
> AFAICT though, - is a valid char in an email address, even leading -
> signs are valid, correct?

That's only of academic interest, I'm afraid.

The RFC lets one get away with a lot of characters that are unlikely
to be accepted by actual implementations.

        Wietse

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]