You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2015/06/08 14:38:00 UTC
[Bug 7206] New: TxRep treats strings from a mail as a regular
expression
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7206
Bug ID: 7206
Summary: TxRep treats strings from a mail as a regular
expression
Product: Spamassassin
Version: 3.4.2
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Plugins
Assignee: dev@spamassassin.apache.org
Reporter: Mark.Martinec@ijs.si
Noticed the following warning in a TxRep plugin:
_WARN: rules: failed to run TXREP test, skipping:
(Unmatched ) in regex; marked by <-- HERE in m/aol.de) <-- HERE /
at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/TxRep.pm
line 1262
Looking at the reported line the issue seems more serious:
if (defined $rly->{helo} && $rly->{helo} !~ /^\[?$rly->{ip}\]?$/ &&
$rly->{helo} !~ /$domain/i && $rly->{helo} !~ /$from/i ) { ...
The code treats strings obtained 'from the wild' as regular expressions,
which they are not (e.g. a dot means 'any character' in a regexp).
As a very least these variables in a regexp need to be protected
by \Q ... \E, but more likely these should be replaced by index()
or an 'eq' operator.
Haven't investigated details, but in view of the recent security
flaw found in libpcre (unrelated to perl, but the same reasoning
applies), it seems bad practice to let strings from a wild to get
anywhere near being treated as a regular expression without a
double dose of sanitation and careful consideration of potential
consequences.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7206] TxRep treats strings from a mail as a regular expression
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7206
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|3.4.2 |3.4.1
Group|security |
Target Milestone|Undefined |3.4.2
Assignee|security@spamassassin.apach |dev@spamassassin.apache.org
|e.org |
Component|Security |Plugins
--
You are receiving this mail because:
You are the assignee for the bug.
Re: [Bug 7206] TxRep treats strings from a mail as a regular
expression
Posted by Mark Martinec <Ma...@ijs.si>.
> Group|security |
> Component|Security |Plugins
Sorry for unintentionally overwriting the assignment to security,
was a mid-air collision. I'll rest now :)
Mark
[Bug 7206] TxRep treats strings from a mail as a regular expression
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7206
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|security@spamassassin.apach |dev@spamassassin.apache.org
|e.org |
Group|security |
Component|Security |Plugins
--- Comment #2 from Mark Martinec <Ma...@ijs.si> ---
Found another (older) example of a warning:
_WARN: rules: failed to run TXREP test, skipping:
(Quantifier follows nothing in regex; marked by <-- HERE
in m/* <-- HERE oa09f1g@163.com/
at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/TxRep.pm
line 1255.)
(different line number is probably due to a recent small update
of the plugin code, I'm running a 4.0.0 here).
--
You are receiving this mail because:
You are the assignee for the bug.