Hamid Maadani via Postfix-devel:
> > There was a missing update to the makedefs script (in the top-level
> > directory). The updated code is at
> > https://github.com/wietse-postfix/postfix-dukhovni/tree/mongodb
>
> hmm.. I'm still getting the same type of error after a rebuild:
> Dec 06 17:32:07 mail postfix/proxymap[2595]: fatal: load_library_symbols:
> dlopen failure loading
> /usr/lib/postfix/postfix-mongodb.so: Error relocating
> /usr/lib/postfix/postfix-mongodb.so:
> mongoc_client_new_from_uri_with_error: symbol not found
Your original code calls mongoc_client_new() The _with error()
variant was added two years ago.
How would I find out which mongo-c library version supports the
_with error() variant which gives a better error message?
The on-line documentation is not quite clear about that, it seems
to assume that everyone will be using the latest and greatest.
> > (major) there is no code to escape special characters when parts
> > or all of a Postfix query are pasted into the MongoDB query filter.
> > I think that at the very least, quotes and backslashes should be
> > escaped with a backslash. I can add a little function for that and
> > update the mongodb_table file.
>
> This is a good point. Honestly, I didn't think about escaping characters
> because the queries are meant to be in JSON form and taken literally, e.g.:
> filter = {"$$or": [{"username":"%s"}, {"alias.address": "%s"}], "active": 1}
> So I left it to the user to escape. But it might be a good idea to add that
> (maybe by using bson_utf8_escape_for_json after expansion?)
The "%s" stuff will paste in bits from the Postfix query, which
can be an email address provided by a hostile SMTP client.
A hostile client could use an address that contains quotes or
backslashes, to change the structure of the MongoDB query,
and exercise database features that you did not intend..
If the idea is that the "user" would escape the quotes etc,
then I wodewr what user you have inb mind. It can't be the
person who configures Postfix or the person who maintains the
database.
> > (minor) the database config file parser does not expand $name,
> > ${name} etc. so '$$' is taken literally, not as '$'. I can remove
> > that text from the mongodb_table file
>
> I think in the mongodb_table file, the expansions like $$ are included for
> query_filter and projection. "query_filter" is expanded in
> dict_mongodb_lookup
> (line 411), but projection is not. would be best to expand projection as well
> (maybe around line 377?)
What code is supposed to pay attention to '$' characters? The Postfix client?
The MongoC library?
Wietse
_______________________________________________
Postfix-devel mailing list -- postfix-devel@postfix.org
To unsubscribe send an email to postfix-devel-le...@postfix.org
