Paul J Stevens <[EMAIL PROTECTED]> said: > I'm sorry to disagree here. The user+mailbox format was committed only > two weeks ago (july 27). If that's creating problems it should be backed > out. Solution 1 will break functionality that has been around for a *long* > time. > > In my view, the untested user+mailbox format hack should not have been > allowed in during the rc phase. Discussion on the bugtracker does not > constitute a proper procedure for inclusion during such a critical phase > in my view. Only bugfixes and critical cleanups (getopt was ok) should be > let in. > > grumpy sez... >
Pulling it out was one of my first reactions, and I posted that to the bug tracker: [intro] - comment out the code and put this off until later. [snip] Even if we did disable this address syntax, someone who wants to work with TMDA or Amavis-new would have to write a script that used the dbmail-smtp -m "mailbox" option, which is vulnerable to exactly the same attack. So it would be the mail admin hanging themself instead of DBMail doing it for them. None of the follow ups considered this option, so I ditched it, too. But you're absolutely, right, this much trouble with such a late change is ridiculous, and I apologize for getting us into this situation. So I think that we should either: - pull the address+mailbox code and do an RC, or - do an RC right now and figure out a solution before the next RC. Like I posted just a few minutes ago earlier in the thread, I'm going to continue working on a solution in code, but if we decide to pull it out altogether then it certainly won't hurt my feelings! Aaron --
