[1081] in bugtraq
Re: Sendmail 8.6.10: what's different?
daemon@ATHENA.MIT.EDU (der Mouse)
Fri Feb 24 17:52:26 1995
Date: Fri, 24 Feb 1995 16:06:32 -0500
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
To: bugtraq@fc.net
>> cleanstrcpy(), referred to several times above, is like strcpy, but
>> it strips newlines and copies only a restricted set of characters:
>> letters, digits, and !#$%&'*+-./^_`{|}~
> The reason for that set of characters are that it is the characters
> that "divide" input into tokens in /bin/sh.
> CERT once recommended me to use the following set of filtered
> characters "\"*&|$;'\\=?<>!()\n{}[]^`"
I don't quite understand what you mean. The list I quoted is
characters that cleanstrcpy() _is_ willing to copy. Neither the set
sendmail copies nor the set sendmail refuses to copy contains all the
token delimiters in any shell I am aware of - for example, . is copied
and @ isn't, but both are plain characters in every shell I know of;
and ' is copied but " isn't, and both are special in every shell I know
of. This is why I found the choice of characters hard to understand.
I would almost think it is excluding some list of mail-addressing
characters, except that it copies ! and %....
der Mouse
mouse@collatz.mcrcim.mcgill.edu
