From: Russell Nelson <[EMAIL PROTECTED]>
Date: Sun, 23 Jan 2000 22:53:31 -0500 (EST)
> 5. Recommendation
>
> Impose the 40 character limitation specified by RFC1939 into qmail.
> Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
I don't recommend applying that patch. Every line of it is wrong. It
makes qmail-popup less secure, by inserting a call to syslog(), which
is a security disaster. It also sucks in the string library, which
includes the well-known security hole sprintf().
Besides, unless I'm missing something, the patch is simply incorrect.
It should set userlen to strlen(user) + 1, not just to strlen(user).
Otherwise, qmail-popup won't write out the trailing null byte after
the user name, breaking the protocol.
(And I agree with others that patching qmail is the wrong approach in
any case: qmail is not violating the RFC, and vpopmail should not
assume that its input is well-conditioned.)
Ian
