When calling sendmail, use "--" to indicate end of command line arguments.

This prevents someone from sneaking arbitrary args to sendmail via
the Reply-To: or From: lines.

1 files changed, 7 insertions, 7 deletions

diff --git a/usr.bin/mail/names.c b/usr.bin/mail/names.c
index 19f23fb7064..70d2269f0b3 100644
--- a/usr.bin/mail/names.c
+++ b/usr.bin/mail/names.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: names.c,v 1.9 1997/11/14 00:23:53 millert Exp $	*/
+/*	$OpenBSD: names.c,v 1.10 2000/03/23 19:32:13 millert Exp $	*/
 /*	$NetBSD: names.c,v 1.5 1996/06/08 19:48:32 christos Exp $	*/
 
 /*
@@ -38,7 +38,7 @@
 #if 0
 static char sccsid[] = "@(#)names.c	8.1 (Berkeley) 6/6/93";
 #else
-static char rcsid[] = "$OpenBSD: names.c,v 1.9 1997/11/14 00:23:53 millert Exp $";
+static char rcsid[] = "$OpenBSD: names.c,v 1.10 2000/03/23 19:32:13 millert Exp $";
 #endif
 #endif /* not lint */
 
@@ -504,12 +504,11 @@ unpack(np)
 		errx(1, "No names to unpack");
 	/*
 	 * Compute the number of extra arguments we will need.
-	 * We need at least two extra -- one for "mail" and one for
-	 * the terminating 0 pointer.  Additional spots may be needed
-	 * to pass along -f to the host mailer.
+	 * We need at least four extra -- one for "send-mail", one for the
+	 * "-i" flag, one for the "--" to signal end of command line
+	 * arguments, and one for the terminating 0 pointer.
 	 */
-	extra = 2;
-	extra++;
+	extra = 4;
 	metoo = value("metoo") != NULL;
 	if (metoo)
 		extra++;
@@ -524,6 +523,7 @@ unpack(np)
 		*ap++ = "-m";
 	if (verbose)
 		*ap++ = "-v";
+	*ap++ = "--";
 	for (; n != NIL; n = n->n_flink)
 		if ((n->n_type & GDEL) == 0)
 			*ap++ = n->n_name;