On Wed, May 09, 2001 at 09:58:18PM +0100, Ace Suares wrote:
>
> There is some serious security problem with the perl script I have
> provided. I hoped that by sending the script to the list, someone
> would say: hey guy, you should escape your arguments!
<..snip..>
> The new script quotes the arguments, like this:
> -----------
> #!/usr/bin/perl
> open(M, "|/var/qmail/bin/qmail-inject \"$ENV{LOCAL}\@$ARGV[0]\"");
> while(<STDIN>) { print M $_; }
> close M;
> -------------
>
> Please, is there *anyone* that can see a new security hole here !?
My first instinct was to make sure the address you were generating was valid;
but since qmail allready passed it to the script, it's probably not that big
of a deal. If this is going to be run from any other source where you don't
trust your input, you really should be passing the arguments through a regex
to validate the characters.
Otherwise, just add something to quote the (scarily valid) ' character in case
it appears in an address. Otherwise, shifting your quotes on the exec to
single quotes will catch everything else.
#!/usr/bin/perl
my $address = "$ENV{LOCAL}\@$ARGV[0]";
$address =~ s/\'/\\\'/g;
open(MAIL, "|/var/qmail/bin/qmail-inject \'$address\'") || print "Cannot run
qmail-inject" && exit 111;
while(<STDIN>) {
print M $_;
}
close(MAIL);
if ($? == 100) {
print "Qmail-Inject has rejected the message!";
exit 111;
}
I added some error checking too.. I haven't run this yet, but it should work
(or be darn close)
Adam
--
[EMAIL PROTECTED] - (http://sysadminsith.org)
Evil Lord of the Sysadmin Sith Darth Rmdashrf
