You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/09/16 22:20:40 UTC
[Bug 6205] New: spamd Configuration Leakage
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
Summary: spamd Configuration Leakage
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: spamc/spamd
AssignedTo: dev@spamassassin.apache.org
ReportedBy: guenther@rudersport.de
Found out the other day, that the VBounce whitelist_bounce_relays settings are
leaking between users. Tested on 3.2.
Looking at the code and related bug 6003 and bug 4179 it appears this would
still be an issue with trunk.
The recent fix for bug 6003 feels like a lot of foot-work adding each and every
user option. And is prone to break again.
Moreover, looking at that list of options being defined empty, I wonder if
there actually are more issues lurking right around the corner. E.g. ok_locales
immediately comes to mind, which should be treated just like the whitelist
stuff in the fix for bug 6003, no? It isn't, so I'd assume it is leaking, too.
:/
Justin in a list post:
"hmm. yes, I think you're right. This is a general issue with how we
store configs, but we may be able to fix it by inferring the storage
key on the Conf object from the config definition block somehow."
Foot-work or not, if this is what can be done in time for 3.3, then we just
need to carefully check and add all such instances. The above ones already
include main Conf.pm settings (ok_locales and others) and Plugin options
(VBounce).
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Mark.Martinec@ijs.si
--- Comment #3 from Mark Martinec <Ma...@ijs.si> 2009-09-18 16:10:27 PDT ---
Is Bug 3911 another manifestation of the same problem?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
--- Comment #6 from Mark Martinec <Ma...@ijs.si> 2009-09-24 05:35:03 PDT ---
> This doesn't look right, it reverts the data structure which I changed
> (r817198, Bug 5958) to avoid eval-ing a tainted string (or just
> blindly untainting it).
URIDetail.pm: fix Bug 6205 comment 5
Sending lib/Mail/SpamAssassin/Plugin/URIDetail.pm
Committed revision 818463.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
--- Comment #7 from Justin Mason <jm...@jmason.org> 2009-09-24 13:53:05 PDT ---
thanks, I hand-merged that (badly).
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
Karsten Bräckelmann <gu...@rudersport.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 |P3
Target Milestone|Undefined |3.3.0
--- Comment #1 from Karsten Bräckelmann <gu...@rudersport.de> 2009-09-16 13:21:42 PDT ---
Priority 3, Target Milestone 3.3.0.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|Mark.Martinec@ijs.si |
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
Justin Mason <jm...@jmason.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jm@jmason.org
--- Comment #2 from Justin Mason <jm...@jmason.org> 2009-09-16 13:28:45 PDT ---
(In reply to comment #0)
>
> Foot-work or not, if this is what can be done in time for 3.3, then we just
> need to carefully check and add all such instances. The above ones already
> include main Conf.pm settings (ok_locales and others) and Plugin options
> (VBounce).
I think we should try to fix as much as possible for 3.3.0. It may be possible
to come up with a simplified test script that demos it without using spamd....
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
Justin Mason <jm...@jmason.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #4 from Justin Mason <jm...@jmason.org> 2009-09-24 03:58:16 PDT ---
done.
the URIDetail plugin needed some fixing -- it was storing possibly per-user
config on the plugin object itself! not good. fixed to store on {conf}. I'm
not sure if it still works though as it has no tests. this is a bug, bug 6209.
: 329...; svn commit -m "bug 6205: add test to ensure that all config settings
are correctly handled when switching between users; add more config setting
type metadata to enable those tests to work; and fix URIDetail to store config
on the {conf} object, not on the plugin."
Sending MANIFEST
Sending lib/Mail/SpamAssassin/Conf/Parser.pm
Sending lib/Mail/SpamAssassin/Conf.pm
Sending lib/Mail/SpamAssassin/Plugin/DKIM.pm
Sending lib/Mail/SpamAssassin/Plugin/ReplaceTags.pm
Sending lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm
Sending lib/Mail/SpamAssassin/Plugin/URIDetail.pm
Sending lib/Mail/SpamAssassin/Plugin/WhiteListSubject.pm
Adding t/cross_user_config_leak.t
Transmitting file data .........
Committed revision 818443.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6205] spamd Configuration Leakage
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6205
--- Comment #5 from Mark Martinec <Ma...@ijs.si> 2009-09-24 04:11:19 PDT ---
> Sending lib/Mail/SpamAssassin/Plugin/URIDetail.pm
> Committed revision 818443.
> --- lib/Mail/SpamAssassin/Plugin/URIDetail.pm (revision 818442)
> +++ lib/Mail/SpamAssassin/Plugin/URIDetail.pm (revision 818443)
> - $pluginobj->{uri_detail}->{$name}->{$target} =
[$op, $pattern];
> + $conf->{parser}->{conf}->{uri_detail}->{$name}->{$target} =
"$op /$pattern/";
This doesn't look right, it reverts the data structure which I changed
(r817198, Bug 5958) to avoid eval-ing a tainted string (or just
blindly untainting it).
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.