On Tue, Apr 09, 2002 at 12:59:16PM -0700, Karsten M. Self wrote:
> on Tue, Apr 09, 2002, Matijs van Zuijlen ([EMAIL PROTECTED]) wrote:
> > On Tue, Apr 09, 2002 at 03:50:54AM -0700, Karsten M. Self wrote:
> > > :0:
> > > * ^X-Mailing-List: <\/[^@<>]+
> > > $LISTDIR/$MATCH/
> >
> > As has been noted[1] in another thread on the same subject on
> > debian-devel: this is dangerous. Someone could just send an email with
> >
> > X-Mailing-List: <../something>
> >
> > in its headers to overwrite your file ~/something (and try other
> > variations if that didn't work).
> >
> > [1] See:
> > http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg02132.html
>
> Good point. I was concerned about that...
>
> Since it's matching on X-foo headers, it doens't have to pass RFC
> 822/2822 rules either.
>
> What's a good regexp that will catch characters up to the '@' then?
>
> * ^X-BeenThere: \/[^.@<>]+
>
> ...will at least prevent the parent directory trick. Is there a good
> washer for something like this that can be put into procmail?
The message I refered to suggests:
:0:
* ^X-Mailing-List:.*debian-\/[-a-zA-Z0-9]*
debian/${MATCH}
for debian lists, so I would think something like:
* ^X-BeenThere: \/[-a-zA-Z0-9]+
would work for most mailing lists. Otherwise, their names would be
really weird. Whether this is a good option depends on what you want to
happen if any other characters appear before the @. IIRC I saw someone
put to *-lines in a row. Maybe something along the lines of:
* ^X-BeenThere: [-a-zA-Z0-9]+@
* ^X-BeenThere: \/[-a-zA-Z0-9]+
would work? But maybe someone with more procmail knowledge should
comment on this.
--
Note that I use Debian version 3.0
Linux mus 2.4.17mvz4 #1 Fri Mar 15 23:30:15 CET 2002 i686 unknown
Matijs van Zuijlen
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
