On Thu, 1 Sep 2005, John Peacock wrote:
Pascal Dreissen wrote:
@40000000430f887620ab0f5c 2470 FATAL PLUGIN ERROR: Insecure dependency
in exec while running with -T switch at ./plugins/queue/qmail-queue
line 106, <STDIN> line 11.
Nobody ?
You haven't given us much to go on. What version of Perl are you running?
Are you passing the location of qmail-queue on the config/plugins line?
Have you read "man perlsec" and read up on perl taint checking? Worthwhile
for anyone working with perl.
BTW, what version of qpsmtpd do you have.
# Untaint $self->{_queue_exec}
my $queue_exec = $self->{_queue_exec};
if ($queue_exec =~ /^(\/[\/\-\_\.a-z0-9A-Z]*)$/) {
$queue_exec = $1;
} else {
$self->log(LOGERROR, "FATAL ERROR: Unexpected characters in qmail-queue
plugin argument");
# This exit is ok as we're exiting a forked child process.
exit 3;
}
...skip...
my $rc = exec $queue_exec;
which _should_ work (barring something strange in your system).
$ENV{PATH} needs to be sanitised as well.
