You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2004/12/01 02:01:06 UTC
Re: Insecure dependency in SA plugin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc -- I've run into this a couple of times. seems to be a perl
issue. the fix is to create a *new* variable name -- not reuse
the same "$envfrom" variable. you can do:
my $newenvfrom = $1; $envfrom = undef; $envfrom = $newenvfrom;
if you like.
- --j.
Marc MERLIN writes:
> So, I'm not new to perl or taint mode, but I've been stumbling on this
> problem all weekend without finding a fix
>
> $envfrom=some tainted source, i.e. $permsgstatus->get($option{'envfromhdr'})
> # clean variables to run properly under -T
> #$envfrom =~ /(.+)/; # this didn't work, so maybe my perl is more picky and
> # won't untain on .+ anymore?
> $envfrom =~ m'([-!#%( )*+,.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]^_abcdefghijklmnopqrstuvwxyz{|}~]+)';
> $envfrom = $1 or "";
> warn "GREYLIST envfrom: $envfrom\n";
> mkdir "/tmp/$envfrom";
>
> The problem is that even the above code still gives me insecure depency errors.
> Nov 29 19:06:45 magic spamd[9297]: GREYLIST entered
> Nov 29 19:06:45 magic spamd[9297]: GREYLIST running
> Nov 29 19:06:45 magic spamd[9297]: GREYLIST envfrom: svlug-bounces+svlug-local=merlins.org@lists.svlug.org
> Nov 29 19:06:46 magic spamd[9297]: result: . -2 -
> BAYES_00,GREYLIST_ISWHITE,NOREVDNS
> scantime=8.0,size=3199,mid=<41...@i2telecom.com>,bayes=1.11022302462516e-16,autolearn=ham
> Nov 29 19:08:35 magic spamd[21955]: GREYLIST entered
> Nov 29 19:08:35 magic spamd[21955]: GREYLIST running
> Nov 29 19:08:35 magic spamd[21955]: GREYLIST envfrom: exim-users-bounces+exim-users-local=merlins.org@exim.org
> Nov 29 19:08:35 magic spamd[21955]: Failed to run GREYLIST_ISWHITE
> SpamAssassin test, skipping:__(Insecure dependency in mkdir while
> running with -T switch at
> /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 162._)
>
> But, here's the kicker: only sometimes (see above).
> I've added the warn to see if that was related to the Email, but I haven't
> found any pattern yet.
>
> I'm starting to suspect my perl, because
> 1) a pattern being tainted sometimes but not always isn't right
> 2) the perlsec man page still says that even $envfrom =~ /(.+)/;
> $envfrom = ($1 or "");
> should untaint the variable.
> 3) this happens one time in ten more or less
> 4) it doesn't even seem to depend on the type of data in the variable
> (see the above, two similar VERP addresses, one went through and one didn't)
>
> I'm running the latest debian perl: 5.8.4-4
>
> Am I missing some SA trick, or should I take this with the perl folks?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFBrRfSMJF5cimLx9ARAvl8AJ96ABDn/oKmBXon7LX6IomFiWyZewCeKqUQ
rAxJJc6Iqp6yB4TfFyeGJf0=
=YamA
-----END PGP SIGNATURE-----
Re: Insecure dependency in SA plugin
Posted by Marc MERLIN <ma...@merlins.org>.
On Tue, Nov 30, 2004 at 05:01:06PM -0800, Justin Mason wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Marc -- I've run into this a couple of times. seems to be a perl
> issue. the fix is to create a *new* variable name -- not reuse
> the same "$envfrom" variable. you can do:
>
> my $newenvfrom = $1; $envfrom = undef; $envfrom = $newenvfrom;
>
> if you like.
So, after a few days of testing, I can confirm that it works, thanks for the
trick.
I've put a comment that this is at least a perl 5.8.4 bug
Thanks,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key