I only supply this sample patch because there is not one from the
author. It is not designed to be in the same style of qmail code, for
instance, I included a comment.
Also, it is a great idea to impose the limitation on vpopmail aswell.
Thanks.
K2
PS. I dont believe there is a "sprintf()" in the patch code.
On 24 Jan 2000, Ian Lance Taylor wrote:
> From: Russell Nelson <[EMAIL PROTECTED]>
> Date: Sun, 23 Jan 2000 22:53:31 -0500 (EST)
>
> > 5. Recommendation
> >
> > Impose the 40 character limitation specified by RFC1939 into qmail.
> > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
>
> I don't recommend applying that patch. Every line of it is wrong. It
> makes qmail-popup less secure, by inserting a call to syslog(), which
> is a security disaster. It also sucks in the string library, which
> includes the well-known security hole sprintf().
>
> Besides, unless I'm missing something, the patch is simply incorrect.
> It should set userlen to strlen(user) + 1, not just to strlen(user).
> Otherwise, qmail-popup won't write out the trailing null byte after
> the user name, breaking the protocol.
>
> (And I agree with others that patching qmail is the wrong approach in
> any case: qmail is not violating the RFC, and vpopmail should not
> assume that its input is well-conditioned.)
>
> Ian
>
