Hi,
I never thought that escaping the shell metacharacters was so
difficult. But I think there is a solution to the problem, I tested
it with quite random strings (try "`pwgen -s 12 1`@yourdomain.net" as
input addresses) but I know that is just a random test and not a
logical explanation as to why something is secure or not.
-Ace
----------
#!/usr/bin/perl
# In case you want to disable the forwarding, but defer the messages,
# uncomment the next 2 lines!
# print "Can not deliver Domain Forwading Yet !";
# exit 111;
# Explaining the script. Look at:
# http://www.w3.org/Security/Faq/wwwsf5.html#Q44
# You can take advantage of this feature to open up a pipe without
# going through a shell. By calling open on the magic character
# sequence |-, you fork a copy of Perl and open a pipe to the copy.
# The child copy can then exec another program using the argument
# list variant of exec().
# my $result = open (SORT,"|-");
# die "Couldn't open pipe to subprocess" unless defined($result);
# exec "/usr/bin/sort",$uservariable or die "Couldn't exec sort"
# if $result == 0;
# for my $line (@lines) {
# print SORT $line,"\n";
# }
# close SORT;
# The initial call to open() tries to fork a copy of Perl. If the
# call fails it returns an undefined value and the script immediately
# dies (you might want to do something more sophisticated, such as
# sending an HTML error message to the user). Otherwise, the result
# will return zero to the child process, and the child's process ID
# to the parent. The child process checks the result value, and
# immediately attempts to exec the sort program. If something fails
# at this point, the child quits.
# The parent process can then print to the SORT filehandle in
# the normal way.
open(M,"|-") || print "Problem with Domain Forwarding (Fork not \
possible)" && exit 111;
$uservariable="$ENV{LOCAL}\@$ARGV[0]";
exec "/var/qmail/bin/qmail-inject",$uservariable || print "Problem \
with Domain Forwarding (Could not execute qmail-inject)" && exit 111;
if ($result == 0){
while(<STDIN>) { print M $_; }
}
close M;
___
( \ at the end of the line means that the line continues at the next
line, I did that just for formatting this email you might wanna
remove those \ !)
> On Sun, May 13, 2001 at 02:58:27AM +0200, Erich Schubert wrote:
> > did you try "tainted" mode? i would prefer it.
> >
> > and do "use strict;" - it forces you to write clean script which
> > tend to have less errors *g*
>
> Eh; it's a one of script, that's so close to being "strict" that it
> hurts. But we're talking semantics now. <grin>
>
> As far as taint mode goes, see below..
>
> > But i have to state clearly that i'd prefer some shell command
> > without the dangerous variable $address in it...
> >
> > But i have no qmail-inject documentation ready, and my DSL link is
> > currently down (damn T-Online... i think 7th downtime in 4 days...
> > well, it's no bussiness line but my home Internet Connection. if
> > it'd be business...)
>
> Yeah.. there really is no more direct way to get something into the
> queue than to inject it directly via qmail-queue; but it must have
> full and correct header information, and do some interesting things
> with file descriptors.
>
> I've tried to do this in perl before; couldn't figure it out and gave
> up. :)
>
> > The cited RE is what i would have written; but this is some lightly
> > different case; and i do know that this RE does not allow all
> > possible rfc822 conformant adresses. p.e. "'@<>"@domain.tld is a
> > correct address, i believe. (it's [EMAIL PROTECTED], which
> > is correct)
>
> Again, I'm not sure how neccessary this is, as far as catching valid
> mail addresses. If it's being passed the address by qmail, it's
> allready getting a valid RFC822 address component. It can't hurt
> anything, of course, but as you say it's not the easiest thing in the
> world to do.
>
> Adam
>
> --
> [EMAIL PROTECTED] - (http://sysadminsith.org)
> Evil Lord of the Sysadmin Sith Darth Rmdashrf
>
| Ace Suares, Internet Consultancy and Training
| Keizersgracht 132, 1015 CW AMSTERDAM, NL
| phone: 06 557 06 554 (+31 6 557 06 554)
| fax: 08 48 707 705 (+31 84 870 770 5)
| mailto:[EMAIL PROTECTED] PGP Key idea: 0x39B81FE5
| http://www.suares.com
