Accéder au contenu.
Menu Sympa

fr - [patch] Possible security hole in Sympa

Objet : Pour les administrateurs de serveurs de listes utilisant le logiciel Sympa

Archives de la liste

Chronologique Discussions  
  • From: Olivier Salaun - CRU <adresse@cachée>
  • To: adresse@cachée
  • Cc: adresse@cachée
  • Subject: [patch] Possible security hole in Sympa
  • Date: Tue, 21 Sep 1999 15:49:08 +0200

A bug has been reported by "Frederic ALLIOD" <adresse@cachée> :

The problem occurs when sending a file/message/report to an email
address beginning with a "-". When invoking sendmail, this is considered
by sendmail like an argument which he doesn't understand. Sendmail call
fails and Sympa dies.


Here is a patch :

Olivier Salaun

*** smtp.pm~ Tue Jun 29 17:21:03 1999
--- smtp.pm Tue Sep 21 15:32:22 1999
***************
*** 67,72 ****
--- 67,83 ----
my @t = $rcpt; \@t = $rcpt;
do_log('debug2', '[smtpto] Msg from %s, %d rcpts',$from, $#t);

+ ## Escape "-" at beginning of recepient addresses
+ ## prevent sendmail from taking it as argument
+ if (ref($rcpt) eq 'SCALAR') {
+ $$rcpt =~ s/^-/\\-/;
+ }else {
+ my @emails = @$rcpt;
+ foreach my $i (0..$#emails) {
+ $rcpt->[$i] =~ s/^-/\\-/;
+ }
+ }
+
## Check how many open smtp's we have, if too many wait for a few
## to terminate and then do our job.
print STDERR "Open = $opensmtp\n" if ($main::opt_d);



Archives gérées par MHonArc 2.6.19+.

Haut de le page