diff options
author | Joey Hess <joeyh@joeyh.name> | 2021-09-28 08:12:42 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2021-09-28 08:12:42 -0400 |
commit | f4a811d0a1fafb3d7b0e7f514d85916ae3933942 (patch) | |
tree | 6518039d2c02503f4b087125bc9bdc5c98c82088 /ifne.docbook | |
parent | 6140dbc815ef70b11982ff1ed7b3885426e30dda (diff) | |
download | moreutils-f4a811d0a1fafb3d7b0e7f514d85916ae3933942.tar.gz |
ifne.1: Improve example that pipes to mail to avoid escape sequences
As recently seen in fail2ban's security hole (CVE-2021-32749),
piping user controlled input to mail is exploitable,
since a line starting with "~! foo" in the input will run command foo.
A core file named like that is not impossible, so guard against it in this
example.
Sponsored-by: Jack Hill on Patreon
Diffstat (limited to 'ifne.docbook')
-rw-r--r-- | ifne.docbook | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ifne.docbook b/ifne.docbook index e9c4569..2dbf215 100644 --- a/ifne.docbook +++ b/ifne.docbook @@ -79,7 +79,7 @@ with this program; if not, write to the Free Software Foundation, Inc., <refsect1> <title>EXAMPLE</title> <cmdsynopsis> - <command>find . -name core | ifne mail -s "Core files found" root</command> + <command>find . -name core | ifne mail -E 'set escape' -s "Core files found" root</command> </cmdsynopsis> </refsect1> |