1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
diff --git a/lib/mail.rb b/lib/mail.rb
index 1ac8614..6d13a24 100644
--- a/lib/mail.rb
+++ b/lib/mail.rb
@@ -2,6 +2,7 @@
module Mail # :doc:
require 'date'
+ require 'shellwords'
require 'active_support'
require 'active_support/core_ext/class/attribute_accessors'
@@ -33,6 +34,7 @@ module Mail # :doc:
require 'mail/core_extensions/nil'
require 'mail/core_extensions/string'
+ require 'mail/core_extensions/shellwords' unless String.new.respond_to?(:shellescape)
require 'mail/core_extensions/smtp' if RUBY_VERSION < '1.9.3'
require 'mail/patterns'
diff --git a/lib/mail/core_extensions/shellwords.rb b/lib/mail/core_extensions/shellwords.rb
new file mode 100644
index 0000000..aa87f31
--- /dev/null
+++ b/lib/mail/core_extensions/shellwords.rb
@@ -0,0 +1,55 @@
+# The following is imported from ruby 1.9.2 shellwords.rb
+#
+module Shellwords
+ # Escapes a string so that it can be safely used in a Bourne shell
+ # command line.
+ #
+ # Note that a resulted string should be used unquoted and is not
+ # intended for use in double quotes nor in single quotes.
+ #
+ # open("| grep #{Shellwords.escape(pattern)} file") { |pipe|
+ # # ...
+ # }
+ #
+ # +String#shellescape+ is a shorthand for this function.
+ #
+ # open("| grep #{pattern.shellescape} file") { |pipe|
+ # # ...
+ # }
+ #
+ def shellescape(str)
+ # An empty argument will be skipped, so return empty quotes.
+ return "''" if str.empty?
+
+ str = str.dup
+
+ # Process as a single byte sequence because not all shell
+ # implementations are multibyte aware.
+ str.gsub!(/([^A-Za-z0-9_\-.,:\/@\n])/n, "\\\\\\1")
+
+ # A LF cannot be escaped with a backslash because a backslash + LF
+ # combo is regarded as line continuation and simply ignored.
+ str.gsub!(/\n/, "'\n'")
+
+ return str
+ end
+
+ module_function :shellescape
+
+ class << self
+ alias escape shellescape
+ end
+
+end
+
+class String
+ # call-seq:
+ # str.shellescape => string
+ #
+ # Escapes +str+ so that it can be safely used in a Bourne shell
+ # command line. See +Shellwords::shellescape+ for details.
+ #
+ def shellescape
+ Shellwords.escape(self)
+ end
+end
\ No newline at end of file
diff --git a/lib/mail/network/delivery_methods/sendmail.rb b/lib/mail/network/delivery_methods/sendmail.rb
index 6ae419a..29f1876 100644
--- a/lib/mail/network/delivery_methods/sendmail.rb
+++ b/lib/mail/network/delivery_methods/sendmail.rb
@@ -45,11 +45,11 @@ module Mail
def deliver!(mail)
envelope_from = mail.return_path || mail.sender || mail.from_addrs.first
- return_path = "-f \"#{envelope_from}\"" if envelope_from
+ return_path = "-f \"#{envelope_from.to_s.shellescape}\"" if envelope_from
arguments = [settings[:arguments], return_path].compact.join(" ")
- Sendmail.call(settings[:location], arguments, mail.destinations.join(" "), mail)
+ Sendmail.call(settings[:location], arguments, mail.destinations.collect(&:shellescape).join(" "), mail)
end
def Sendmail.call(path, arguments, destinations, mail)
|
