<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Mention that quotes can't be used in query_command.



On Thu, Apr 01, 2010 at 09:59:37AM -0700, Michael Elkins wrote:
> On Thu, Apr 01, 2010 at 05:30:26PM +0200, Simon Ruderich wrote:
>> This patch improves the description of $query_format to mention
>> that no quotes shouldn't be used around %s.
>
> I reworked that section to be more clear:
>
>       This specifies the command Mutt will use to make external address
>       queries. The string may contain a â%sâ, which will be substituted with
>       the query string the user types. Mutt will add quotes around the string
>       substituted for â%sâ automatically according to shell quoting rules, so
>       you should avoid adding your own. If no â%sâ is found in the string,
>       Mutt will append the user's query to the end of the string. See âqueryâ
>       for more information.

Thanks.

> I would not consider it a security issue, however.  $query_command is
> only ever expanded using a string the Mutt user types in, not any data
> received externally.

I run it sometimes on a email from another user (for example in
the send menu) to fix their name if they forgot to add it. But
you're right, that's not really a security problem.

>> I'm not sure what $query is, so I left it unchanged.
>
> It's a reference to the "External Address Queries" section in the
> manual (aka http://www.mutt.org/doc/devel/manual.html#query).
>
> me

Thanks for your quick reply.
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: pgpXGk7QPAHGF.pgp
Description: PGP signature