Lloyd Zusman <[EMAIL PROTECTED]> writes:
> [ ... listing of authorization filter ... ]
The first version of the filter I wrote would be a huge security breach.
It checks for "AUTH: LOGIN" in the entire message, not just in the
headers. This would allow someone to stick this in the body and bypass
all other filtering.
The enclosed version of it is better. I tightened down the regex that's
used for matching the AUTH indication, and I stop processing before the
body is read.
Question: can we assume that the "(AUTH: LOGIN userid)" line, if it
exists, would always be the second line in the message data file?
import re
import sys
import string
import courier.control
import courier.config
# Accepts all incoming messages that have been submitted via a
# successful AUTH dialog.
# Run before any other filter.
order = 1
# Record in the system log that this filter was initialized.
sys.stderr.write( 'Initialized the AUTH python filter\n' )
authpat = re.compile(r'^\(AUTH:\s+LOGIN\s+\S+\)', re.I)
emptypat = re.compile(r'^\s*$')
def dofilter( message_data_file, message_ctrl_files ):
lines = open(message_data_file,'r').readlines()
lines = map(string.strip, lines)
for line in lines:
match = emptypat.search(line)
if match:
# Stop processing after final message header
return ''
match = authpat.search(line)
if match:
sys.stderr.write( 'Login authorization succeeded: message accepted\n' )
return '200 Ok'
return ''
--
Lloyd Zusman
[EMAIL PROTECTED]
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
