From 130a5b07197819cdc447900f9891988c8f01e9f5 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Fri, 12 Jun 1998 07:06:37 +0000
Subject: Ready to ship.

svn path=/trunk/; revision=1935
---
 fetchmail.man | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'fetchmail.man')

diff --git a/fetchmail.man b/fetchmail.man
index bf75889f..11c01026 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -1588,10 +1588,10 @@ link can be tapped.
 .PP
 Use of the %F or %T escapes in an mda option could open a security
 hole, because they pass text manipulable by an attacker to a shell
-command.  The hole is reduced by the fact that fetchmail temporarily
-discards any suid privileges it may have while running the MDA.  To
-avoid potential problems, (1) enclose the %F and %T escapes in single
-quotes within the option, and (2) never use an mda command containing
+command.  Potential shell characters are replaced by `_' before
+execution.  The hole is further reduced by the fact that fetchmail
+temporarily discards any suid privileges it may have while running the
+MDA.  For maximum safety, however, don't use an mda command containing
 %F or %T when fetchmail is run from the root account itself.
 .PP
 Send comments, bug reports, gripes, and the like to Eric S. Raymond
-- 
cgit v1.2.3