Am 30.03.2017 um 02:46 schrieb Sam Varshavchik: >> ### BUG: This leaves LPART and DPART empty. :( ### >> LPART=`echo $MATCH1 | sed "s/\./_/g"` > > If someone were to send an email with a carefully crafted header that reads: > "X-BeenThere: ; rm -rf $HOME" you'll have a lot of cleanup to do.
Ouch. I had this bad feeling all the time... Fixed it. Thank you. Still, at the moment, there should be nothing to worry about, as even: BLABLA=`echo hallo >> /tmp/test.txt` doesn't have any effect. (I.e. no file "test.txt" appears in /tmp.) Filling variables with backtick-commands doesn't seem to work in my setup. They are empty afterwards, while the very exact statements work on the command line. > Maybe scrap the whole thing. Use backticks to feed the email to a Perl > script that safely parses headers. Okay... the beforementioned problems left aside, what is the advantage? It's all about a simple regex. IMHO, the beauty of all solutions discussed here is that they use maildropfiler and nothing else. > At the very least use an additional =~ operator to verify that matched > pattern is sane: > > LOCALPART=$MATCH1 > > if ($LOCALPART =~ /^[A-Za-z0-9\.\-]+$/) "At the very least"? Does an external perl script have any security advantage over this? d. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users