http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4968
Summary: untaint_file_path claims "%" is an unsafe character
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Libraries
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
On my Red Hat Enterprise Linux box all hosted email accounts have home
directories that contain a "%"
character and look like this (this example is for the email address, "[EMAIL
PROTECTED]"):
/home/john%example.com
This causes Spam Assassin to complain like this in various circumstances (for
example, when running
sa-learn):
security: cannot untaint path: "/home/john%example.com/.spamassassin"
This is because the "%" character in the path causes the regex in the
untaint_file_path() function (in
"Util.pm") to fail to match:
my $chars = '[EMAIL PROTECTED],\/\\\:';
my $re = qr/^\s*([$chars][${chars}~ ]*)$/o;
Now, this may be a bug in Spam Assassin, or an unfortunate consequence of the
server policy to
substitute "%" for "@" in email account home directories. I am not aware of any
adverse consequences of
adding "%" to the regex; am I missing something here? Should Spam Assassin be
changed to allow the
"%" character when untainting file paths?
my $chars = '[EMAIL PROTECTED],\/\\\:';
my $re = qr/^\s*([$chars][${chars}~ ]*)$/o;
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
