Home/ Questions/Q 8383459
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T17:10:08+00:00

I have a simple script that takes a subject-line and return-path from STDIN (a

  • 0

I have a simple script that takes a subject-line and return-path from STDIN (a piped email) and runs custom curl query using the subject: 

#!/usr/bin/env bash

# Check for the sender email address and subject.
# Assign them to variables for use later.
while read -r key value; do
    case $key in
        Subject:) subject=$value;;
        Return-Path:) return_path=$value;;
    esac
done

# Run a curl query utilizing a modified version of the subject (replacing spaces with plus symbols)

curl "https://foo.com/&q="${subject// /+}"" >> foo.txt

My concern though is that this leaves a hole for malicious (or accidental) use of problematic subject headers like: Subject: Test 123; rm -fr /;

Is there an easy way to prevent this from happening?

I apologize if this is a vague question. I’m very new to scripting so my knowledge of script hardening/sanitizing is very slim. If there is a beginner’s reference for this, please let me know.

UPDATE. Here’s the revised script: 

#!/usr/bin/env bash

# Check for the sender email address and subject.
# Assign them to variables for use later.
while read -r key value; do
    case $key in
        Subject:) subject="$value";;
        Return-Path:) return_path="$value";;
    esac
done

# Run a curl query utilizing a modified version of the subject (replacing spaces with plus symbols)

curl "https://foo.com/&q=\"${subject// /+}\"" >> foo.txt
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes. Always use quotes. ALWAYS.

    foo="$bar"
    • 0