Home | History | Annotate | Download | only in mail
History log of /src/usr.bin/mail/send.c
RevisionDateAuthorComments
 1.40  09-Jul-2025  rillig mail: fix lint warnings

No binary change, except for one line number in an assertion.
 1.39  09-Nov-2017  christos branches: 1.39.16;
Only open regular files.
 1.38  16-Dec-2014  christos Fix various security related issues:

0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.

Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.

This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.

Added expandaddr option to explicitly enable this behavior.

0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.

Fixed.

0003. Make wordexp support mandatory. (No functional change.)

Fixed (replaced explicit shell pipe implementation).

0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:

Fixed (as part of the pipe replacement with wordexp).
 1.37  29-Apr-2012  christos branches: 1.37.10;
set close on exec for all opened files.
 1.36  13-Apr-2009  he branches: 1.36.6;
Do the -Wuninitialized workaround in a way which conforms to our
style guide, and remove a now unneeded LINTED comment. From private
feedback.
 1.35  12-Apr-2009  he Work around a problem with gcc -Wuninitialized seen for our sh3 targets.
 1.34  10-Apr-2009  christos From Anon Ymous:

- Remove all longjmp(3) calls from signal handlers. Instead, we post
to an internal signal queue and check that periodically. All signal
related code is now in sig.c, except for the SIGCHLD handler which
remains in popen.c as it is intimately tied to routines there.

- Handle SIGPIPE in type1() regardless of mime support, or else the
handler in execute() will prevent our error code from being returned
resulting in 'sawcom' not being set on the first command as it should.
This only affected the initial behavior of the "next" command without
mime support.

- Add the 'T' flag to many commands in cmdtab.c that should not look
like the first command. E.g., start mail on a mailbox with multiple
messages, run "set foo", then "next", and watch the second message get
displayed rather than the first as is the case without the first "set"
command.

- Add file descriptor and file handle leak detection. Enabled by
DEBUG_FILE_LEAK. This will likely disappear in the future.

- Fix a long standing (since import in 1993) longjmp() bug in
edstop(): the jmpbuf was invalid when quit() is called at the end of
main.

- Fix a long standing bug (since import in 1993) in snarf() where it
didn't strip whitespace correctly if the line consisted only of
whitespace.

- Lint cleanup.

- New Feature: "Header" command. This allows miscellaneous header
fields to be added to the header, e.g., "X-Organization:" or
"Reply-To:" fields.

- New Feature: "page-also" variable. This allows the specification of
additional commands to page. It is more flexible than "crt".

- Document the "pager-off" variable: if set, it disables paging
entirely.
 1.33  25-Jan-2009  lukem branches: 1.33.2;
sign-compare fix for amd64
 1.32  30-Oct-2007  christos From Anon Ymous:

- Add a "forward" command as requested by garbled@.
From the manpage:

forward
Takes a list of messages and prompts for an address (or
addresses) to forward each message to. If no message list is
specified, the current message is used. The mail editor is run
for each message allowing the user to enter a message that will
precede the forward message. The message is sent as a multi-
part/mixed MIME encoded message.

- Add the ability to match messages that do (or do not) contain a
header field. E.g., the command "f ! /Subject:" will display the
list of messages that are missing a "Subject" field.

- Teach savemail() to prefix fake headlines so the mbox doesn't get
broken.

- Fixed a couple of "bugs" in the attachment editing routine.
 1.31  29-Oct-2007  christos From Anon Ymous:
knf changes:
- s/sizeof x/sizeof(x)/.
- remove unnecessary malloc typecasts.
- whitespace nits.
 1.30  27-Oct-2007  christos From Anon Ymous:
- Add a "bounce" command as requested by garbled@.
From the manpage:

bounce Takes a list of messages and prompts for an address to bounce the
messages to. All the original header fields are preserved except
for the ``Delivered-To'', ``X-Original-To'' and ``Status''
fields. The new ``To'' field contains the bounce address(es)
plus any addresses in the old ``To'' field minus the user's local
address and any on the alternates list. (See the alternates com-
mand.)
 1.29  23-Oct-2007  christos From Anon Ymous:
- Introduce date_to_tm() and hl_date_to_tm() to parse the date and
headline date a bit more efficiently.
- If 'tm_isdst' is determined, let strftime(3) handle the '%Z' and
'%z' formats. Otherwise, output "-0000" and "???", respectively, to
help preserve with alignment; strftime(3) will output an empty
string in these case.
- Change fail() to use the '-d' flag (which sets the 'debug' variable)
rather than the "debug" _environment_ variable. This is more
consistent with other warnings.
- Don't use gcc C extensions, e.g., "case LOW ... HIGH:".
- Define is_WSP() in def.h to be an inline function that for checks
whitespace (WSP = ' ' or '\t'), as defined in RFC 2822. Use it
consistently in place of isblank().
- For consistency, rename skip_blank() to skip_WSP().
- Add inline skip_space() to complement skip_blank() (now skip_WSP).
- Check all ctype(3) calls for argument range issues.
- Whitespace and comment cleanup/changes.
 1.28  28-Nov-2006  christos branches: 1.28.8;
From Anon Ymous:

1) Statification of modules.

2) Implement the 'detach' and 'Detach' commands for extracting mime
parts from messages.

3) Teach mail to output "In-Reply-To" and "References" header fields
when replying so others can thread us.

4) Implement threading, sorting, and tagging, supported by the
following commands: 'flatten', 'reverse', 'sort', 'thread',
'unthread', 'down', 'tset', 'up', 'expose', 'hide', 'tag',
'untag', 'invtags', 'tagbelow', 'hidetags', 'showtags'.
See the manpage for details (when available - soon).

5) Implement a 'deldups' command to delete duplicate messages based on
their "Message-Id" field, e.g., in replies to a mailing list that
are also CCed to a subscriber. (This can also be accomplished with
the threading and tagging commands.)

6) Implement 'ifdef' and 'ifndef' commands, and make the conditionals
nestable (i.e., implement a conditional stack). The if/else/endif
commands existed before, but they were primitive and undocumented.
The 'if' command currently recognizes the "receiving", "sending",
and "headersonly" mode keywords.

7) Teach the message selecting routine to understand regular
expressions if "regex-search" is defined. Otherwise only case
insensitive substring matches are done (as in the past).

8) Teach the message selection routine to understand boolean
expressions. Improved "colon-modifier" support. See the manpage
for details (when available - soon).

9) Extend paging to all commands (where relevant).

10) Add shell like piping and redirection of (standard) output (if
"enable-piping" is defined). Extend completion to these contexts.

11) The manpage should follow soon!!!!
 1.27  31-Oct-2006  christos More fixes from Anon Ymous:


1) Removed the -B flag (it was stupid on my part) and added a short
description indicating how to accomplish the same thing under the
"Sending Mail" section of man mail(1).

2) Added a -H flag to dump the headers and exit. It takes optional
flags to restrict to old, new, read, unread, and deleted messages
(the later being kind of useless - it shares code with something
that already had it).

3) Restored the 'Save' command which somehow got mistakenly removed in
the last commit and add documentation for it! (My apologies to
its author.)

4) Added a 'mkread' command to mark messages as read (the inverse of
'unread'). Should we also have a 'mknew' command?

5) Added a 'smopts' command to keep a database of addresses and
sendmail options to be used when sending messages to those
addresses. See man mail(1) for a fuller description.

6) Added 'indentpreamble' and 'indentpostscript' variables whose
values are inserted before and after a quoted message (~m or ~M
escapes).
=20
7) Added string formatting abilities for the 'prompt', 'insertpreamble',
'insertpostscript', and header display strings. These strings
support all the strftime() format parameters as well as many more
specific to mail (see man mail(1)).

8) Fix the -a flag so that it only takes a single filename, unless
"mime-attach-list" is defined. This is more conventional and avoids
unexpected whitespace issues.
 1.26  21-Oct-2006  christos From our anonymous user:
- mime and character set handling
- command line editor and completion
- many code improvements
 1.25  18-Sep-2006  christos Jumbo mail patch from our anonymous user:

1) Use editline [optional]:
Most of this code was borrowed from src/usr.bin/ftp. It does the
appropriate editing, history, and completion for all mail commands
(from cmdtab[]) and also does editing on header strings ('~h' inside
the mail editor).

2) '-B' flag:
This will suppress the "To:" line passed to sendmail. In most
configurations it will lead to sendmail adding "To: undisclosed
recipients;". Currently, AFAIK mail requires at least one exposed
recipient address.

3) Comments in rcfile:
Currently, comments in .mailrc are only supported if the first
(non-white) character on a line is '#' followed by white space,
i.e., '#' is a 'nop' command. This (trivial) patch allows the more
normal/expected use of '#' as a comment character. It does not
respect quoting, so that might be an objection which I should fix.

4) Sendmail option editing:
This adds the sendmail option string to the strings editable by the
'~h' command within the mail editor. Currently, you can only set
this string from the command-line, which is particularly annoying
when replying to mail.

5) Reply from:
When replying to a message, grab the "To:" address from the message
and, if there is only one such address and it does not match a list of
allowed addresses (set in the "ReplyFrom" variable), pass it to
sendmail as the "From:" address for the reply (with the '-f' option).
I often make aliases for myself so that my primary address is not
given out; if the alias gets out, I know who to blame. Unfortunately,
a reply to such a message would normally use the primary address
without this patch. A warning is displayed when this is going to
happen so that it can be modified with '~h'.

6) CC and BCC lists:
Allow '-c' and '-b' to accept white-space or ',' delimited lists.
Currently, a white-space delimited list of addresses work, but a
list of aliases will not get expanded. For example, currently:

mail -c "foo bar" christos

will fail to send mail to 'foo' and 'bar' if these are mail aliases
(in ~/.mailrc); sendmail aliases (in /etc/aliases) do work.

7) pipe command:
This pipes the current message into a shell command. I use this for
quick decoding of uuencoded mail, but I can imagine it might be
useful for decrypting encrypted mail, too.

8) show command:
This command takes a list of variables and shows their values. It
is probably stupid as the 'set' command without any argument
displays all variable values. Of course, if there are a lot of
variables you have to sift through the list for the one(s) you want.
 1.24  03-Mar-2006  christos PR/32978: Johan Veenhuizen: mail(1) creates record file with insecure umask
 1.23  19-Jul-2005  christos Pass lint completely.
 1.22  19-Jul-2005  christos WARNS=3
 1.21  07-Aug-2003  agc branches: 1.21.2; 1.21.4; 1.21.6; 1.21.8; 1.21.10;
Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.
 1.20  06-Mar-2002  wiz Replace last tempnam() with mkstemp(), and remove the tempMail variable.
Inspired by OpenBSD.
mail(1) is now tempnam(3) free.
 1.19  05-Mar-2002  wiz Use warn() instead of perror().
 1.18  05-Mar-2002  wiz KNF: No space after casts.
 1.17  04-Mar-2002  wiz Replace some more special pointers to zero (NIL, NONE, NOVAR, NOGRP, NOGE)
with NULL.
 1.16  04-Mar-2002  wiz Don't use special null string pointer (NOSTR), just use NULL.
 1.15  02-Mar-2002  wiz Rename variables to avoid shadowing.
 1.14  02-Mar-2002  wiz ANSIfy, and minimal KNF.
 1.13  05-Feb-2001  christos fix nested externs
rename raise to upcase to avoid clash with raise(3)
 1.12  19-Sep-2000  christos Add -E "dontsendempty" flag which does not send messages that have no
data. This is useful when piping cron error output to mail. While I am
there add -~ to be a synonym for -I [but don't document it]. This is for
compatibility with other OS's.
 1.11  10-Feb-2000  tron Rename send() to sendmessage() to avoid conflict with send(2) in "libc".
Patch supplied by Geoff Adams in PR bin/9385.
 1.10  19-Dec-1998  christos char -> unsigned char
 1.9  25-Aug-1998  ross Add { and } to shut up egcs. Reformat the more questionable code.
 1.8  25-Nov-1997  bad Do not propagate local pipe and file address that are marked for deletion
into the mail header.
 1.7  19-Oct-1997  lukem branches: 1.7.2;
WARNSify, fix .Nm usage, deprecate register, use <err.h>
 1.6  08-Jun-1996  christos - Fix PR/105: Implement dot locking protocol and check return value of flock.
- Fix PR/2247: Don't call unknown users "ubluit". Issue an error message.
- Fix/add prototypes.
- Fix warnings.
- Use POSIX signal mask calls.
- RCSid police.
 1.5  28-Nov-1994  jtc Use tempnam() to generate temporary file names instead of trying to
concatenate getenv("TMPDIR") and "RxXXXXXX" into fixed length arrays.
 1.4  29-Jun-1994  deraadt 4.4-lite, plus our mods
 1.3  27-Aug-1993  jtc Implement mailx's askbcc option.
 1.2  01-Aug-1993  mycroft Add RCS identifiers.
 1.1  21-Mar-1993  cgd branches: 1.1.1;
Initial revision
 1.1.1.2  28-Dec-1996  tls Import of 4.4BSD-Lite (already merged at head)
 1.1.1.1  21-Mar-1993  cgd initial import of 386bsd-0.1 sources
 1.7.2.1  26-Nov-1997  mellon Pull rev 1.8 up from trunk (bad)
 1.21.10.1  17-Mar-2006  tron Pull up following revision(s) (requested by adrianp in ticket #1204):
usr.bin/mail/send.c: revision 1.24
PR/32978: Johan Veenhuizen: mail(1) creates record file with insecure umask
 1.21.8.1  17-Mar-2006  riz Pull up following revision(s) (requested by adrianp in ticket #10365):
usr.bin/mail/send.c: revision 1.24
PR/32978: Johan Veenhuizen: mail(1) creates record file with insecure umask
 1.21.6.1  17-Mar-2006  tron Pull up following revision(s) (requested by adrianp in ticket #1204):
usr.bin/mail/send.c: revision 1.24
PR/32978: Johan Veenhuizen: mail(1) creates record file with insecure umask
 1.21.4.1  17-Mar-2006  riz Pull up following revision(s) (requested by adrianp in ticket #10365):
usr.bin/mail/send.c: revision 1.24
PR/32978: Johan Veenhuizen: mail(1) creates record file with insecure umask
 1.21.2.1  17-Mar-2006  riz Pull up following revision(s) (requested by adrianp in ticket #10365):
usr.bin/mail/send.c: revision 1.24
PR/32978: Johan Veenhuizen: mail(1) creates record file with insecure umask
 1.28.8.1  06-Nov-2007  matt sync with HEAD
 1.33.2.1  13-May-2009  jym Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
 1.36.6.1  23-May-2012  yamt sync with head.
 1.37.10.1  23-Apr-2015  snj Pull up following revision(s) (requested by christos in ticket #719):
usr.bin/mail/cmd3.c: revision 1.43
usr.bin/mail/extern.h: revision 1.33
usr.bin/mail/fio.c: revisions 1.41, 1.42
usr.bin/mail/mail.1: revision 1.61
usr.bin/mail/names.c: revision 1.31, 1.32
usr.bin/mail/send.c: revision 1.38
Fix various security related issues:
0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.
Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.
This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.
Added expandaddr option to explicitly enable this behavior.
0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.
Fixed.
0003. Make wordexp support mandatory. (No functional change.)
Fixed (replaced explicit shell pipe implementation).
0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:
Fixed (as part of the pipe replacement with wordexp).
--
fix incorrect arg size computation
 1.39.16.1  02-Aug-2025  perseant Sync with HEAD

RSS XML Feed