Bug#408087: marked as done (Subject is evaluated as a regular expression)

Wed, 31 Jan 2007 03:29:02 -0800 

Your message dated Wed, 31 Jan 2007 12:12:09 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#408087: Subject is evaluated as a regular expression
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: minimalist
Version: 2.5.2-1

It seems that minimalist isn't properly quoting metacharacters when
processing email subjects.

For example if I send a message to the minimalist with subject "((((" I
get this error back:

> This message was created automatically by mail delivery software.
> 
> A message that you sent could not be delivered to one or more of its 
> recipients. This is a permanent error. The following address(es)
> failed:
> 
> pipe to |/usr/bin/minimalist generated by [EMAIL PROTECTED] local
> delivery failed
> 
> The following text was generated during the delivery attempt:
> 
> ------ pipe to |/usr/bin/minimalist generated by
> [EMAIL PROTECTED] ------
> 
> Unmatched ( in regex; marked by <-- HERE in m/^(((( <-- HERE $/ at
> /usr/bin/minimalist line 771, <STDIN> line 13.

This could get dangerous with some more inventive use of regular
expressions (like the (?{...}) construct). Currently perl safety
functions seem to prevent this bug from being exploitable, but people
usually recommend against passing unsanitized user-supplied strings as
regular expressions.

System information:

Debian release: Sarge
Architecture: i386
Kernel: Linux 2.4.33.3

ii  minimalist     2.5.2-1
ii  perl           5.8.4-8sarge5

--- End Message ---
--- Begin Message --- 
Version: 2.5.3-1

Re: Tomaz Solc 2007-01-23 <[EMAIL PROTECTED]>
> Version: 2.5.2-1
> 
> It seems that minimalist isn't properly quoting metacharacters when
> processing email subjects.
> 
> For example if I send a message to the minimalist with subject "((((" I
> get this error back:

Hi Tomaz,

thanks for the report.

However, this is already fixed in the latest upstream version in
etch/sid.

 $qcmd = quotemeta($cmd);
 if (! grep(/^$qcmd$/, %cmds)) { # Bad syntax or unknown instruction.
   goto BadSyntax; }

Please consider upgrading, the etch package is installable on sarge.

Christoph
-- 
[EMAIL PROTECTED] | http://www.df7cb.de/

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to