Kenneth Porter wrote:
In addition to "use strict", does it make sense to use "-wT"?
Taint-checking would probably cause lots of problems.
I just tested it by adding -wT to mimedefang.pl and the only error I got was the "require $Filter". After untainting $Filter I could run "mimedefang.pl -test" cleanly. If I leave this in, is there some other way it can bite me that won't show up in a -test run?
Is taint-checking inherited by the required user script or do I need to specify it again there?
(Presumably this would need to be in mimedefang.pl.) Could a hostile sender effect a shell escape in a poorly-written filter?
Well, by definition, a "poorly-written" filter can let a hostile sender do anything. :-) You could write a filter that executes the subjects of incoming e-mails as shell commands if you really wanted to.
<IncredulousOEUser> That would be nifty! </IncredulousOEUser>
;)
BTW, I added "use strict; use warnings;" to my filter and it turned up not only my aforementioned bug but a couple more variables missing "my" declarations (from the stock filter, $FoundVirus in filter_begin). Perhaps you could add these at the top of the stock filter. This shouldn't cause incompatibility since users have to migrate changes manually anyway.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
