From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 5F02F7B6E4
for <pbs-devel@lists.proxmox.com>; Wed, 12 May 2021 16:20:18 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 50C47E4CE
for <pbs-devel@lists.proxmox.com>; Wed, 12 May 2021 16:20:18 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS id 2B553E4C3
for <pbs-devel@lists.proxmox.com>; Wed, 12 May 2021 16:20:17 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id ED22542D85
for <pbs-devel@lists.proxmox.com>; Wed, 12 May 2021 16:20:16 +0200 (CEST)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Wed, 12 May 2021 16:20:16 +0200
Message-Id: <20210512142016.3476-1-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.018 Adjusted score from AWL reputation of From: address
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [PATCH proxmox v3] fix #3302: allow for more characters
for email
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
<pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 14:20:18 -0000
by removing the regex check here, that is responsibility of the caller
this is ok since we pass the args directly and not via shell, so
command injection should not be possible
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
tested command injection with emails like '--help' but this got sent
to '--help@myhostname' which got sent to 'root@myhostname'
proxmox/src/tools/email.rs | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/proxmox/src/tools/email.rs b/proxmox/src/tools/email.rs
index b5d42c4..0b92a5b 100644
--- a/proxmox/src/tools/email.rs
+++ b/proxmox/src/tools/email.rs
@@ -16,23 +16,10 @@ pub fn sendmail(
mailfrom: Option<&str>,
author: Option<&str>,
) -> Result<(), Error> {
- let mail_regex = regex::Regex::new(r"^[a-zA-Z\.0-9-]+@[a-zA-Z\.0-9-]+$").unwrap();
-
if mailto.is_empty() {
bail!("At least one recipient has to be specified!")
}
-
- for recipient in mailto {
- if !mail_regex.is_match(recipient) {
- bail!("'{}' is not a valid email address", recipient)
- }
- }
-
let mailfrom = mailfrom.unwrap_or("root");
- if !mailfrom.eq("root") && !mail_regex.is_match(mailfrom) {
- bail!("'{}' is not a valid email address", mailfrom)
- }
-
let recipients = mailto.join(",");
let author = author.unwrap_or("Proxmox Backup Server");
@@ -44,7 +31,7 @@ pub fn sendmail(
.arg("-f")
.arg(mailfrom)
.arg("--")
- .arg(&recipients)
+ .args(mailto)
.stdin(Stdio::piped())
.spawn()
{
--
2.20.1