https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7206
Bug ID: 7206
Summary: TxRep treats strings from a mail as a regular
expression
Product: Spamassassin
Version: 3.4.2
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Plugins
Assignee: [email protected]
Reporter: [email protected]
Noticed the following warning in a TxRep plugin:
_WARN: rules: failed to run TXREP test, skipping:
(Unmatched ) in regex; marked by <-- HERE in m/aol.de) <-- HERE /
at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/TxRep.pm
line 1262
Looking at the reported line the issue seems more serious:
if (defined $rly->{helo} && $rly->{helo} !~ /^\[?$rly->{ip}\]?$/ &&
$rly->{helo} !~ /$domain/i && $rly->{helo} !~ /$from/i ) { ...
The code treats strings obtained 'from the wild' as regular expressions,
which they are not (e.g. a dot means 'any character' in a regexp).
As a very least these variables in a regexp need to be protected
by \Q ... \E, but more likely these should be replaced by index()
or an 'eq' operator.
Haven't investigated details, but in view of the recent security
flaw found in libpcre (unrelated to perl, but the same reasoning
applies), it seems bad practice to let strings from a wild to get
anywhere near being treated as a regular expression without a
double dose of sanitation and careful consideration of potential
consequences.
--
You are receiving this mail because:
You are the assignee for the bug.
