> my $binary = $self->qp->config("smtpauth-checkpassword")
> or return (DECLINED);
> return(DECLINED) if ( ! -x $binary );
>
> my ($untainted) = $binary =~ /^(.*)$/;
>
> open(CPW,"|$untainted /usr/bin/true 3<&0");
> # checkpassword will fail if it's not give something to execute.
> # Probably a bad idea to hard-code the path. -Johan
Yes it is a bad idea, because e.g. on linux it needs to be /bin/true. I
forgot about that part in my plugin, as i'm using a modified checkpassword
which does not need it.
I would, however, suggest changing the code as following:
my $command = $self->qp->config("smtpauth-checkpassword")
or return (DECLINED);
my ($binary, $params) = $command =~ /^(\S+)(.*)$/;
return(DECLINED) if ( ! -x $binary );
open(CPW,"|$command $params 3<&0");
This should allow to just write '/my/path/to/checkpassword /bin/true' or
similar content into the config file, without breaking the (modest) security
which ensures that actually a existing command is executed.
Regards
Michael
--
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
