Re: [Qmail-scanner-general]PROBLEM:qmail-scanner v1.15

Tue, 04 Feb 2003 06:50:29 -0800 

Alexandros Dourmousoglou wrote:
> 
> Hi all,
> I've installed qmail-scanner in my qmail, and in  qmail-scanner-queue.pl
> I've added a subroutine which performs a file scanning for the mail's
> attachments. The only thing i do is to execute the shell's command
> "file" for each mail's attachment, and check file's output against my
> database.
> I do something like that: "$out=file($file_attached);"
> The problem is that qmail-scannner-queue.pl generates the following message:
> "X-Qmail-Scanner-1.15:[Hermes10442619534364820] Requeuing: Insecure
> dependency in piped open while running with -T switch at (eval 1) line 56."
> and "X-Qmail-Scanner-1.15:[Hermes10442611494364759] Requeuing: Insecure
> dependency in system while running with -T switch at
> /var/qmail/bin/qmail-scanner-queue.pl line 1737".
> Line 1737 contains the following command "$out=file($file_attached);".
> I've removed -T option from the top of qmail-scanner-queue.pl, but
> nothing changed.

IMO- this is a GoodThing (for you)...
-T is your friend - don't leave /home without it :)
(see 'perldoc perlsec' and 'man perlrun')
basically - it (-T) wants you to make sure you really want that (untrusted)
data going to the shell and that you know what quality/quantity/type of data
is OK to pass to the specific shell cmd you're calling.

you don't say what your file() routine is actually doing, but here's an idea
on how you could approach it:
(simplistic -example- regex below - you can craft one suitable for your use)

$cleanFN = ($file_attached =~ /(\w{1,256}\.[A-Za-z]{3})/) ? $1 : "BAD_FILE";
if ($cleanFN ne "BAD_FILE") {
    open(X, "-|") || exec "/usr/bin/file $cleanFN";
    $out=<X>; chomp $out;
    close (X);
} else {
   $out = "bad filename";
}
print "$out\n";


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to