--- a/usr/src/cmd/mailx/fio.c	Thu Apr 30 20:00:43 2015 +0100
+++ b/usr/src/cmd/mailx/fio.c	Thu Apr 30 20:01:26 2015 +0100
@@ -757,7 +757,7 @@
 		if (debug) fprintf(stderr, "%s\n", name);
 		return (name);
 	}
-	if (wordexp(name, &wrdexp_buf, 0) != 0) {
+	if (wordexp(name, &wrdexp_buf, WRDE_NOCMD) != 0) {
 		fprintf(stderr, gettext("Syntax error in \"%s\"\n"), name);
 		fflush(stderr);
 		return (NOSTR);

--- a/usr/src/cmd/mailx/main.c	Thu Apr 30 20:00:43 2015 +0100
+++ b/usr/src/cmd/mailx/main.c	Thu Apr 30 20:01:26 2015 +0100
@@ -37,8 +37,6 @@
  * contributors.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include "rcv.h"
 #ifndef preSVr4
 #include <locale.h>
@@ -104,7 +102,6 @@
 	progname = argv[0];
 	if (progname[strlen(progname) - 1] != 'x') {
 		assign("bsdcompat", "");
-		assign("escapeok", "");		/* XXX */
 	}
 	myegid = getegid();
 	myrgid = getgid();

--- a/usr/src/cmd/mailx/misc/mailx.rc	Thu Apr 30 20:00:43 2015 +0100
+++ b/usr/src/cmd/mailx/misc/mailx.rc	Thu Apr 30 20:01:26 2015 +0100
@@ -21,8 +21,6 @@
 # Copyright 2000 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # The following 3 settings produce the familiar Solaris behavior.
 set appenddeadletter
 unset pipeignore
@@ -44,8 +42,6 @@
 	set LISTER="ls -LF"
 	# default is to allow editing of message windows
 	set editmessagewindow
-	# have to allow ~ escapes even though not using tty
-	set escapeok
 endif
 
 # most mail headers are uninteresting to most people.  here we ignore all

--- a/usr/src/cmd/mailx/names.c	Thu Apr 30 20:00:43 2015 +0100
+++ b/usr/src/cmd/mailx/names.c	Thu Apr 30 20:01:26 2015 +0100
@@ -191,7 +191,7 @@
 /*
  * For each recipient in the passed name list with a /
  * in the name, append the message to the end of the named file
- * and remove him from the recipient list.
+ * and remove them from the recipient list.
  *
  * Recipients whose name begins with | are piped through the given
  * program and removed.
@@ -212,6 +212,9 @@
 	char line[BUFSIZ];
 #endif
 
+	if (value("expandaddr") == NOSTR)
+		return (nout);
+
 	for (np = names; np != NIL; np = np->n_flink) {
 		if (!isfileaddr(np->n_name) && np->n_name[0] != '|')
 			continue;
@@ -596,14 +599,15 @@
 		panic("No names to unpack");
 
 	/*
-	 * Compute the number of extra arguments we will need.
-	 * We need at least 2 extra -- one for "mail" and one for
-	 * the terminating 0 pointer.
-	 * Additional spots may be needed to pass along -r and -f to 
-	 * the host mailer.
+	 * Compute the number of extra arguments we will need.  We need at least
+	 * 3 extra -- one for "mail", one for a terminating -- to stop sendmail
+	 * option processing, and one for the terminating 0 pointer.
+	 *
+	 * Additional spots may be needed to pass along -r and -f to the host
+	 * mailer.
 	 */
 
-	extra = 2;
+	extra = 3;
 
 	if (rflag != NOSTR)
 		extra += 2;
@@ -636,6 +640,7 @@
 		snprintf(hbuf, sizeof (hbuf), "%d", hflag);
 		*ap++ = savestr(hbuf);
 	}
+	*ap++ = "--";
 #endif /* SENDMAIL */
 	while (n != NIL) {
 		if (n->n_type & GDEL) {

--- a/usr/src/man/man1/mailx.1	Thu Apr 30 20:00:43 2015 +0100
+++ b/usr/src/man/man1/mailx.1	Thu Apr 30 20:01:26 2015 +0100
@@ -9,7 +9,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH MAILX 1 "Sep 19, 2001"
+.TH MAILX 1 "Dec 18, 2014"
 .SH NAME
 mailx \- interactive message processing system
 .SH SYNOPSIS
@@ -36,7 +36,6 @@
 .fi
 
 .SH DESCRIPTION
-.sp
 .LP
 The mail utilities listed above provide a comfortable, flexible environment for
 sending and receiving mail messages electronically.
@@ -64,7 +63,6 @@
 \fBCommands\fR as in the primary \fBmailbox\fR. This gives rise within these
 pages to the notion of a current \fBmailbox\fR.
 .SH OPTIONS
-.sp
 .LP
 On the command line options start with a dash (\(mi). Any other arguments are
 taken to be destinations (recipients). If no recipients are specified,
@@ -294,7 +292,6 @@
 .RE
 
 .SH OPERANDS
-.sp
 .LP
 The following operands are supported:
 .sp
@@ -308,7 +305,6 @@
 
 .SH USAGE
 .SS "Starting Mail"
-.sp
 .LP
 At startup time, \fBmailx\fR executes the system startup file
 \fB/etc/mail/mailx.rc\fR. If invoked as \fBmail\fR or \fBMail\fR, the system
@@ -380,7 +376,6 @@
 escape character followed by a single command letter and optional arguments.
 See \fBTilde Escapes\fR for a summary of these commands.
 .SS "Reading Mail"
-.sp
 .LP
 Each message is assigned a sequential number, and there is at any time the
 notion of a current message, marked by a right angle bracket (>) in the header
@@ -544,20 +539,23 @@
 shell conventions (see \fBsh\fR(1)). Special characters are recognized by
 certain commands and are documented with the commands below.
 .SS "Sending Mail"
-.sp
 .LP
 Recipients listed on the command line may be of three types: login names, shell
 commands, or alias groups. Login names may be any network address, including
 mixed network addressing. If mail is found to be undeliverable, an attempt is
-made to return it to the sender's \fBmailbox\fR. If the recipient name begins
-with a pipe symbol ( | ), the rest of the name is taken to be a shell command
-to pipe the message through. This provides an automatic interface with any
-program that reads the standard input, such as \fBlp\fR(1) for recording
-outgoing mail on paper. Alias groups are set by the \fBa\fRlias command (see
-\fBCommands\fR below) or in a system startup file (for example,
-\fB$HOME/.mailrc\fR). Aliases are lists of recipients of any type.
+made to return it to the sender's \fBmailbox\fR. If the \fBexpandaddr\fR option
+is not set (the default), then the following rules do not apply and the name of
+the recipient must be a local mailbox or network address. If the recipient name
+begins with a pipe symbol ( | ), the rest of the name is taken to be a shell
+command to pipe the message through. This provides an automatic interface with
+any program that reads the standard input, such as \fBlp\fR(1) for recording
+outgoing mail on paper.
+.sp
+.LP
+Alias groups are set by the \fBa\fRlias command (see \fBCommands\fR below) or in
+a system startup file (for example, \fB$HOME/.mailrc\fR). Aliases are lists of
+recipients of any type.
 .SS "Forwarding Mail"
-.sp
 .LP
 To forward a specific message, include it in a message to the desired
 recipients with the \fB~f\fR or \fB~m\fR tilde escapes. See \fBTilde\fR
@@ -569,7 +567,6 @@
 your mail to a new host by forwarding it to your new address if it is not yet
 listed in the \fBNIS\fR aliases domain.
 .SS "Commands"
-.sp
 .LP
 Regular commands are of the form
 .sp
@@ -768,6 +765,18 @@
 .sp
 .ne 2
 .na
+\fB\fBexpandaddr\fR\fR
+.ad
+.sp .6
+.RS 4n
+Causes recipient addresses to be expanded based on the discussion in the section
+\fBSending Mail\fR. Note that enabling this option allows for addresses that can
+cause arbitrary command execution by starting with the \fB|\fR character.
+.RE
+
+.sp
+.ne 2
+.na
 \fB\fBex\fRit\fR
 .ad
 .br
@@ -1621,7 +1630,6 @@
 .RE
 
 .SS "Tilde Escapes"
-.sp
 .LP
 The following tilde escape commands can be used when composing mail to send.
 These may be entered only from \fIinput mode\fR, by beginning a line with the
@@ -1905,7 +1913,6 @@
 .RE
 
 .SS "Internal Variables"
-.sp
 .LP
 The following variables are internal variables. They may be imported from the
 execution environment or set using the \fBse\fRt command at any time. The
@@ -2539,12 +2546,10 @@
 .RE
 
 .SS "Large File Behavior"
-.sp
 .LP
 See \fBlargefile\fR(5) for the description of the behavior of \fBmailx\fR when
 encountering files greater than or equal to 2 Gbyte ( 2^31 bytes).
 .SH ENVIRONMENT VARIABLES
-.sp
 .LP
 See \fBenviron\fR(5) for descriptions of the following environment variables
 that affect the execution of \fBmailx\fR: \fBHOME\fR, \fBLANG\fR,
@@ -2661,7 +2666,6 @@
 .RE
 
 .SH EXIT STATUS
-.sp
 .LP
 When the \fB-e\fR option is specified, the following exit values are returned:
 .sp
@@ -2706,7 +2710,6 @@
 .RE
 
 .SH FILES
-.sp
 .ne 2
 .na
 \fB\fB$HOME/.mailrc\fR\fR
@@ -2788,7 +2791,6 @@
 .RE
 
 .SH ATTRIBUTES
-.sp
 .LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
@@ -2804,7 +2806,6 @@
 .TE
 
 .SH SEE ALSO
-.sp
 .LP
 \fBbiff\fR(1B), \fBecho\fR(1), \fBed\fR(1), \fBex\fR(1), \fBfmt\fR(1),
 \fBlp\fR(1), \fBls\fR(1), \fBmail\fR(1), \fBmail\fR(1B), \fBmailcompat\fR(1),
@@ -2813,7 +2814,6 @@
 \fBpasswd\fR(4), \fBattributes\fR(5), \fBenviron\fR(5), \fBlargefile\fR(5),
 \fBstandards\fR(5)
 .SH NOTES
-.sp
 .LP
 Where \fIshell-command\fR is shown as valid, arguments are not always allowed.
 Experimentation is recommended.