Dear Sam,
Thank you for your teaching.
I have learned it.
thank you.
2006/12/12, Sam Varshavchik <[EMAIL PROTECTED]>:
> Cheng Bruce writes:
>
> > Hi Serge,
> >
> > Thank you for your soon reply.
> > Before you reply to me, I have looked .mailfiter several times, but I
> > still can't figure out it.
> > And I focused on "sh: -c:". don't know where -c is located in the scripts.
> > This is used for user's autoreply, and it works, but just sometimes
> > will be happened.
> >
> > Would you please correct my fault ?
> > This following is the information of .mailfilter
> > #============================================
> > logfile "/home/domains/YYYY.com/laura/mailfilter.log"
> > VERBOSE 9
> > #
> > # autoreply
> > #
> > if (/^Subject:.*/)
> > {
> > SUBJECT=$MATCH
> > }
> >
> > # These emails won't do autoreply
> > if (! (/^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ ||
> > /^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ ||
> > /^From:[EMAIL PROTECTED]/ || /^From:[EMAIL PROTECTED]/ ) )
> > {
> > cc "| mailbot -A 'X-Sender: $FROM' -A 'From: $FROM' -d autoresponsedb
> > -s 'Out of Office AutoReply: $SUBJECT' -m '$HOME/Maildir/autoreply.cf'
> > $SENDMAIL -t -f ''"
> > }
> > to "$HOME/Maildir/."
> > #==========================================
>
> This is a classical mistake made by those who do not understand how shell
> escaping and metacharacters should be quoted.
>
> If you check your mail queue, you will probably find an E-mail message with
> a subject line that contains an apostrophe. It's also remotely possible
> that the message has an apostrophe in its return address, and not the
> subject line, but with 99% certainty it will be a subject line with an
> apostrophe.
>
> For the sake of argument, the original message will have a subject line
> whose contents will be something like:
>
> Subject: Mike's lunch.
>
>
> Your maildrop recipe will, subsequently attempt to execute the following
> command:
>
> cc "| mailbot -A [...] -s 'Out of Office AutoReply: Subject: Mike's lunch'
> [...]"
>
> And there's your syntax error.
>
> You are very fortunate that you spotted this problem when it is a simple
> syntax error.
>
> If a hostile attacker is aware of your broken maildrop recipe, he would then
> simply send you a message with the following subject line:
>
> Subject: p0wn3d '; rm -rf $HOME #
>
> And kiss your ass good bye, as this message will wind up executing "rm -rf
> $HOME" in your home directory.
>
> Do _NOT_ write maildrop recipes that invoke external commands unless your
> KNOW WHAT YOU ARE DOING.
>
> At the very minimum, change:
>
> > SUBJECT=$MATCH
>
> to:
>
> > SUBJECT=escape($MATCH)
> > FROM=escape($FROM)
>
>
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
> _______________________________________________
> courier-users mailing list
> courier-users@lists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
>
>
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
