On Tue, Apr 09, 2002 at 12:59:16PM -0700, Karsten M. Self wrote:
> on Tue, Apr 09, 2002, Matijs van Zuijlen ([EMAIL PROTECTED]) wrote:
> > On Tue, Apr 09, 2002 at 03:50:54AM -0700, Karsten M. Self wrote:
> > >     :0:
> > >     * ^X-Mailing-List: <\/[^@<>]+
> > >     $LISTDIR/$MATCH/
> > 
> > As has been noted[1] in another thread on the same subject on
> > debian-devel: this is dangerous. Someone could just send an email with
> > 
> >     X-Mailing-List: <../something>
> > 
> > in its headers to overwrite your file ~/something (and try other
> > variations if that didn't work).
> > 
> > [1] See:
> > http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg02132.html
> 
> Good point.  I was concerned about that...
> 
> Since it's matching on X-foo headers, it doens't have to pass RFC
> 822/2822 rules either.
> 
> What's a good regexp that will catch characters up to the '@' then?
> 
>     * ^X-BeenThere: \/[^.@<>]+
> 
> ...will at least prevent the parent directory trick.  Is there a good
> washer for something like this that can be put into procmail?

The message I refered to suggests:

    :0:
    * ^X-Mailing-List:.*debian-\/[-a-zA-Z0-9]*
    debian/${MATCH}

for debian lists, so I would think something like:

    * ^X-BeenThere: \/[-a-zA-Z0-9]+

would work for most mailing lists. Otherwise, their names would be
really weird. Whether this is a good option depends on what you want to
happen if any other characters appear before the @. IIRC I saw someone
put to *-lines in a row. Maybe something along the lines of:

    * ^X-BeenThere: [-a-zA-Z0-9]+@
    * ^X-BeenThere: \/[-a-zA-Z0-9]+

would work? But maybe someone with more procmail knowledge should
comment on this.

-- 
Note that I use Debian version 3.0
Linux mus 2.4.17mvz4 #1 Fri Mar 15 23:30:15 CET 2002 i686 unknown

Matijs van Zuijlen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to