You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/04/27 00:39:38 UTC
[Bug 2292] whitelist_from fooled by quotes
http://bugzilla.spamassassin.org/show_bug.cgi?id=2292
felicity@kluge.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From felicity@kluge.net 2004-04-26 15:39 -------
"whitelist_from_rcvd" is always better to use, and you don't really ever want to whitelist yourself for the
reason of forging, but the problem, for those interested, is that whitelist_from initiates this process:
@addrs = $self->{main}->find_all_addrs_in_line
($self->get ('From') . # std
$self->get ('Envelope-Sender') . # qmail: new-inject(1)
$self->get ('Resent-Sender') . # procmailrc manpage
$self->get ('X-Envelope-From') . # procmailrc manpage
$self->get ('EnvelopeFrom')); # SMTP envelope
which looks for anything that looks like an address, and goes from there.
I just committed a fix which uses the get('...:addr') code instead. These are all From headers, so there
should only be 1 address per header, and the :addr code knows how to deal with comments, etc. Note:
whitelist_from is still vulnerable to forging (just set the From header to the address you want,) but
that's why whitelist_from_rcvd is favored. :)
r10293
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.