Thanks for the points, Mark. On Jun 19, 2007, at 5:49 PM, Mark Martinec wrote:
> Daniel, > >> Thank you for making this nice addition for me! >> It works perfectly and accomplishes exactly what I needed... > > I'm glad it does. > >> Will I need to continue patching this in or are you committing it >> to the main branch? Just checking... > > Will be in 2.5.2, in few days. > >> RE: your concerns about the SQL pattern issues, I'm assuming I >> wouldn't need to be quite as concerned about this as my postfix >> server doesn't even call on amavis until the recipient address has >> been validated as local... Does this make sense? > > For incoming mail, when plus addressing is enabled (and there is > no reason it shouldn't be), one may add any junk in local part > after a separator, e.g. "user+xx_%x.***"@example.com. > > For outgoing mail, your users are allowed to specify any > recipient localpart under a valid domain name. > >> Also, how would this same concern not apply to the recipient >> address listed in the %k macro which has been in the code all along? > > The: > users.email IN (fixed tainted strings) > is safe because only exact string matches are used, > and the list of strings is prepared by amavisd code > by stripping out parts of the recipient address, > in a well defined order from specific to a more general form. > > The: > alias.goto LIKE tainted_regexp > appears potentially problematic, a recipient address > could contain characters which have special meaning > to SQL pattern matching, e.g. a recipient address > like [EMAIL PROTECTED] would also match [EMAIL PROTECTED]@y.example.com > (I know the '_' is not supposed to be used in host names, > but it is a valid character for DNS, and few mailers > enforce it). > > If SQL regexp matching were used instead of the simple LIKE, > it would be even easier to cheat. > > It would be alright to do it the other way around though, > e.g. tainted_string LIKE admin-specified-regexp > which would be more similar to the: users.email IN (%k) > functionality. > > Mark > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > AMaViS-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ -- daniel duerr | president | emerald city entertainment group dd @ emeraldcityeg.com | +1 (831) 621-1710 x103 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
