You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by mm...@apache.org on 2009/09/21 12:18:36 UTC
svn commit: r817198 -
/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDetail.pm
Author: mmartinec
Date: Mon Sep 21 10:18:31 2009
New Revision: 817198
URL: http://svn.apache.org/viewvc?rev=817198&view=rev
Log:
Bug 5958: URIDetail plugin not taint safe, fixed
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDetail.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDetail.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDetail.pm?rev=817198&r1=817197&r2=817198&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDetail.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDetail.pm Mon Sep 21 10:18:31 2009
@@ -30,7 +30,7 @@
The format for defining a rule is as follows:
- uri_detail SYMBOLIC_TEST_NAME key1 =~ /value1/ key2 !~ /value2/ ...
+ uri_detail SYMBOLIC_TEST_NAME key1 =~ /value1/ key2 !~ /value2/ ...
Supported keys are:
@@ -53,11 +53,11 @@
Example rule for matching a URI where the raw URI matches "%2Ebar",
the domain "bar.com" is found, and the type is "a" (an anchor tag).
- uri_detail TEST1 raw =~ /%2Ebar/ domain =~ /^bar\.com$/ type =~ /^a$/
+ uri_detail TEST1 raw =~ /%2Ebar/ domain =~ /^bar\.com$/ type =~ /^a$/
Example rule to look for suspicious "https" links:
- uri_detail FAKE_HTTPS text =~ /\bhttps:/ cleaned !~ /\bhttps:/
+ uri_detail FAKE_HTTPS text =~ /\bhttps:/ cleaned !~ /\bhttps:/
Regular expressions should be delimited by slashes.
@@ -66,6 +66,7 @@
package Mail::SpamAssassin::Plugin::URIDetail;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
+use Mail::SpamAssassin::Util qw(untaint_var);
use strict;
use warnings;
@@ -85,7 +86,7 @@
my $self = $class->SUPER::new($mailsaobject);
bless ($self, $class);
- $self->register_eval_rule ("check_uri_detail");
+ $self->register_eval_rule("check_uri_detail");
$self->set_config($mailsaobject->{conf});
@@ -128,7 +129,7 @@
}
dbg("config: uri_detail adding ($target $op /$pattern/) to $name");
- $pluginobj->{uri_detail}->{$name}->{$target} = "$op /$pattern/";
+ $pluginobj->{uri_detail}->{$name}->{$target} = [$op, $pattern];
$added_criteria = 1;
}
@@ -159,65 +160,61 @@
my $rule = $self->{uri_detail}->{$test};
if (exists $rule->{raw}) {
- my $tmp = $rule->{raw};
- next unless (eval "\$raw ${tmp}");
- dbg("uri: raw matched\n");
+ my($op,$patt) = @{$rule->{raw}};
+ if ( ($op eq '=~' && $raw =~ /$patt/) ||
+ ($op eq '!~' && $raw !~ /$patt/) ) {
+ dbg("uri: raw matched: '%s' %s /%s/", $raw,$op,$patt);
+ } else {
+ next;
+ }
}
if (exists $rule->{type}) {
next unless $info->{types};
- my $tmp = $rule->{type};
- my $match = 0;
+ my($op,$patt) = @{$rule->{type}};
+ my $match;
for my $text (keys %{ $info->{types} }) {
- if (eval "\$text ${tmp}") {
- $match = 1;
- last;
- }
+ if ( ($op eq '=~' && $text =~ /$patt/) ||
+ ($op eq '!~' && $text !~ /$patt/) ) { $match = $text; last }
}
- next unless $match;
- dbg("uri: type matched\n");
+ next unless defined $match;
+ dbg("uri: type matched: '%s' %s /%s/", $match,$op,$patt);
}
- if (exists $rule->{cleaned} && exists $info->{cleaned}) {
+ if (exists $rule->{cleaned}) {
next unless $info->{cleaned};
- my $tmp = $rule->{cleaned};
- my $match = 0;
+ my($op,$patt) = @{$rule->{cleaned}};
+ my $match;
for my $text (@{ $info->{cleaned} }) {
- if (eval "\$text ${tmp}") {
- $match = 1;
- last;
- }
+ if ( ($op eq '=~' && $text =~ /$patt/) ||
+ ($op eq '!~' && $text !~ /$patt/) ) { $match = $text; last }
}
- next unless $match;
- dbg("uri: cleaned matched\n");
+ next unless defined $match;
+ dbg("uri: cleaned matched: '%s' %s /%s/", $match,$op,$patt);
}
if (exists $rule->{text}) {
next unless $info->{anchor_text};
- my $tmp = $rule->{text};
- my $match = 0;
+ my($op,$patt) = @{$rule->{text}};
+ my $match;
for my $text (@{ $info->{anchor_text} }) {
- if (eval "\$text ${tmp}") {
- $match = 1;
- last;
- }
+ if ( ($op eq '=~' && $text =~ /$patt/) ||
+ ($op eq '!~' && $text !~ /$patt/) ) { $match = $text; last }
}
- next unless $match;
- dbg("uri: text matched\n");
+ next unless defined $match;
+ dbg("uri: text matched: '%s' %s /%s/", $match,$op,$patt);
}
if (exists $rule->{domain}) {
next unless $info->{domains};
- my $tmp = $rule->{domain};
- my $match = 0;
+ my($op,$patt) = @{$rule->{domain}};
+ my $match;
for my $text (keys %{ $info->{domains} }) {
- if (eval "\$text ${tmp}") {
- $match = 1;
- last;
- }
+ if ( ($op eq '=~' && $text =~ /$patt/) ||
+ ($op eq '!~' && $text !~ /$patt/) ) { $match = $text; last }
}
- next unless $match;
- dbg("uri: domain matched\n");
+ next unless defined $match;
+ dbg("uri: domain matched: '%s' %s /%s/", $match,$op,$patt);
}
if (would_log('dbg', 'rules') > 1) {