Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!nsc!decwrl!vixie
From: vixie@decwrl.dec.com (Paul Vixie)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Internet VIRUS alert
Message-ID: <43@gnome6.pa.dec.com>
Date: 10 Nov 88 01:57:10 GMT
References: <8811052345.AA18501@okeeffe.Berkeley.EDU> <2624@sultra.UUCP>
Organization: DEC Western Research Lab
Lines: 18

# I agree with the first poster.  It is a BIG security hole.  I can understand
# the justification for piping incoming mail to a process, but this should be
# done via the 'aliases' file, not the To: line.  [...]

And so it is.  Try your example (To: "|foo") and you'll see.

The "|programname" syntax is only supposed to work from /usr/lib/aliases and
from ~/.forward.  It will definitely not work in a header address -- it just
doesn't go through the right part of the code at that point.  And it would
ordinarily not work in a RCPT TO command except that it was allowed to when
debug mode was enabled.  Berkeley's fix to sendmail turns off the DEBUG
command; the proper thing to do is to stop allowing RCPT TO:<|sed -e ...>
just because debug mode happens to be enabled.  (Which is what I did to the
version I run here.)
-- 
Paul Vixie
Work:    vixie@decwrl.dec.com    decwrl!vixie    +1 415 853 6600
Play:    paul@vixie.sf.ca.us     vixie!paul      +1 415 864 7013