From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5F02F7B6E4 for ; Wed, 12 May 2021 16:20:18 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 50C47E4CE for ; Wed, 12 May 2021 16:20:18 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 2B553E4C3 for ; Wed, 12 May 2021 16:20:17 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id ED22542D85 for ; Wed, 12 May 2021 16:20:16 +0200 (CEST) From: Dominik Csapak To: pbs-devel@lists.proxmox.com Date: Wed, 12 May 2021 16:20:16 +0200 Message-Id: <20210512142016.3476-1-d.csapak@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.018 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox v3] fix #3302: allow for more characters for email X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2021 14:20:18 -0000 by removing the regex check here, that is responsibility of the caller this is ok since we pass the args directly and not via shell, so command injection should not be possible Signed-off-by: Dominik Csapak --- tested command injection with emails like '--help' but this got sent to '--help@myhostname' which got sent to 'root@myhostname' proxmox/src/tools/email.rs | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/proxmox/src/tools/email.rs b/proxmox/src/tools/email.rs index b5d42c4..0b92a5b 100644 --- a/proxmox/src/tools/email.rs +++ b/proxmox/src/tools/email.rs @@ -16,23 +16,10 @@ pub fn sendmail( mailfrom: Option<&str>, author: Option<&str>, ) -> Result<(), Error> { - let mail_regex = regex::Regex::new(r"^[a-zA-Z\.0-9-]+@[a-zA-Z\.0-9-]+$").unwrap(); - if mailto.is_empty() { bail!("At least one recipient has to be specified!") } - - for recipient in mailto { - if !mail_regex.is_match(recipient) { - bail!("'{}' is not a valid email address", recipient) - } - } - let mailfrom = mailfrom.unwrap_or("root"); - if !mailfrom.eq("root") && !mail_regex.is_match(mailfrom) { - bail!("'{}' is not a valid email address", mailfrom) - } - let recipients = mailto.join(","); let author = author.unwrap_or("Proxmox Backup Server"); @@ -44,7 +31,7 @@ pub fn sendmail( .arg("-f") .arg(mailfrom) .arg("--") - .arg(&recipients) + .args(mailto) .stdin(Stdio::piped()) .spawn() { -- 2.20.1