<p>In modules/exec/doc/exec_admin.xml:</p>
<pre style='color:#555'>> +                        <para><emphasis>error</emphasis> - pseudovariable where to store the error from
> +                        the standard error of the process.
> +                        </para>
> +                </listitem>
> +                <listitem>
> +                        <para><emphasis>envavp</emphasis> - Avp where to store the values for the
> +                        environment variables to be passed for the command. The names of the environment
> +                        variables will be "OSIPS_EXEC_#" where # will start from 0. For example if you
> +                        store 2 values into an avp ("a" and "b") OSIPS_EXEC_0 will contain the first value
> +                        and OSIPS_EXEC_1 the second value.
> +                        </para>
> +                </listitem>
> +                </itemizedlist>
> +                <para>
> +                WARNING: any OpenSIPS pseudo-vars which may contain special bash
> +                characters should be placed inside quotes, e.g. exec("update-stats.sh '$ct'");
</pre>
<p>This does not help. You need to quote the contents of $ct too, or else I could do this:</p>
<pre><code>Contact: <sip:'; rm -rf /; echo '@whatever.com>
</code></pre>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/OpenSIPS/opensips/pull/375/files#r19524753">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AFOciYOUUjR2gGkqV73DxoOlccc-s_Mmks5nIJ8PgaJpZM4Cz-_8.gif" width="1" /></p>
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"View this Pull Request on GitHub","action":{"@type":"ViewAction","url":"https://github.com/OpenSIPS/opensips/pull/375/files#r19524753","name":"View Pull Request"}}</script>