You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/04/27 00:39:38 UTC

[Bug 2292] whitelist_from fooled by quotes

http://bugzilla.spamassassin.org/show_bug.cgi?id=2292

felicity@kluge.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From felicity@kluge.net  2004-04-26 15:39 -------
"whitelist_from_rcvd" is always better to use, and you don't really ever want to whitelist yourself for the 
reason of forging, but the problem, for those interested, is that whitelist_from initiates this process:

    @addrs = $self->{main}->find_all_addrs_in_line
        ($self->get ('From') .                  # std
         $self->get ('Envelope-Sender') .       # qmail: new-inject(1)
         $self->get ('Resent-Sender') .         # procmailrc manpage
         $self->get ('X-Envelope-From') .       # procmailrc manpage
         $self->get ('EnvelopeFrom'));          # SMTP envelope

which looks for anything that looks like an address, and goes from there.

I just committed a fix which uses the get('...:addr') code instead.  These are all From headers, so there 
should only be 1 address per header, and the :addr code knows how to deal with comments, etc.  Note: 
whitelist_from is still vulnerable to forging (just set the From header to the address you want,) but 
that's why whitelist_from_rcvd is favored. :)

r10293



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.