Re: Domain Forwarding

Sun, 13 May 2001 12:51:26 -0700 

> > Please, is there *anyone* that can see a new security hole here !?

The Mail address must not contain the quote character;

> Otherwise, just add something to quote the (scarily valid) ' character in case
> it appears in an address.  Otherwise, shifting your quotes on the exec to
> single quotes will catch everything else. 

And do quote your quote character as well!

> #!/usr/bin/perl

did you try "tainted" mode? i would prefer it.

and do "use strict;" - it forces you to write clean script which tend to
have less errors *g*

> my $address = "$ENV{LOCAL}\@$ARGV[0]";
> $address =~ s/\'/\\\'/g;

$address =~ s/(['\\])/\\$1/g;

> open(MAIL, "|/var/qmail/bin/qmail-inject \'$address\'") || print "Cannot run 
>qmail-inject" && exit 111; 
> while(<STDIN>) { 
>       print M $_; 
    print MAIL $_;
> }
> close(MAIL);
> if ($? == 100) {
>       print "Qmail-Inject has rejected the message!";
>       exit 111;
> }
> 
> I added some error checking too.. I haven't run this yet, but it should work
> (or be darn close)

darn close.

But i have to state clearly that i'd prefer some shell command without the
dangerous variable $address in it...

But i have no qmail-inject documentation ready, and my DSL link is currently
down (damn T-Online... i think 7th downtime in 4 days... well, it's no
bussiness line but my home Internet Connection. if it'd be business...)

DO read perlfaq9
it has a section "How do I check a valid mail address?"

       Many are tempted to try to eliminate many frequently-
       invalid mail addresses with a simple regex, such as
       /^[\w.-]+\@([\w.-]\.)+\w+$/'.  It's a very bad idea.
       However, this also throws out many valid ones, and says
       nothing about potential deliverability, so is not sug�
       gested.  Instead, see
       http://www.perl.com/CPAN/authors/Tom_Chris�
       tiansen/scripts/ckaddr.gz , which actually checks against
       the full RFC spec (except for nested comments), looks for
       [...]

The cited RE is what i would have written; but this is some lightly
different case; and i do know that this RE does not allow all possible
rfc822 conformant adresses.
p.e. "'@<>"@domain.tld is a correct address, i believe.
(it's [EMAIL PROTECTED], which is correct)

Greetings,
Erich

Reply via email to