Mercurial > public > mercurial-scm > hg
comparison mercurial/mail.py @ 43019:2cc453284d5c
patchbomb: protect email addresses from shell
When patchbomb sends email via a sendmail-like program it invokes this
using procutil.popen which passes the string to a shell to be parsed.
To protect any special characters in the email addresses on the
command line from being interpretered by the shell they must be
quoted.
| author | Floris Bruynooghe <flub@google.com> |
|---|---|
| date | Mon, 30 Sep 2019 00:01:58 +0200 |
| parents | 9b3be572ff0c |
| children | 2372284d9457 |
comparison
equal
deleted
inserted
replaced
| 43018:d1d919f679f7 | 43019:2cc453284d5c |
|---|---|
| 150 return send | 150 return send |
| 151 | 151 |
| 152 def _sendmail(ui, sender, recipients, msg): | 152 def _sendmail(ui, sender, recipients, msg): |
| 153 '''send mail using sendmail.''' | 153 '''send mail using sendmail.''' |
| 154 program = ui.config('email', 'method') | 154 program = ui.config('email', 'method') |
| 155 stremail = lambda x: stringutil.email(encoding.strtolocal(x)) | 155 stremail = lambda x: ( |
| 156 procutil.quote(stringutil.email(encoding.strtolocal(x)))) | |
| 156 cmdline = '%s -f %s %s' % (program, stremail(sender), | 157 cmdline = '%s -f %s %s' % (program, stremail(sender), |
| 157 ' '.join(map(stremail, recipients))) | 158 ' '.join(map(stremail, recipients))) |
| 158 ui.note(_('sending mail: %s\n') % cmdline) | 159 ui.note(_('sending mail: %s\n') % cmdline) |
| 159 fp = procutil.popen(cmdline, 'wb') | 160 fp = procutil.popen(cmdline, 'wb') |
| 160 fp.write(util.tonativeeol(msg)) | 161 fp.write(util.tonativeeol(msg)) |