On Mon, 07 Jun 2010, Tony Shadwick wrote: > In spamass-milter.cpp, you have this: > > /* open a pipe to sendmail so we can do address > expansion */ > > char buf[1024]; > char *fmt="%s -bv \"%s\" 2>&1"; > > I changed it to be this instead: > > char *fmt="%s -q \"%s\" /etc/postfix/virtual 2>&1";
You don't want to do this. This leads to the remote exploit of spamass-milter shown and fixed here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228 > Huh? Why are the < and > getting left on the address? I didn't > comment anything out that got ride of them. Have they always been > passed to sendmail -bv? sendmail is passed the envelope recipient directly as it is reported to spamass-milter; '<[email protected]>' is a perfectly legitimate envelope recipient. Don Armstrong -- No matter how many instances of white swans we may have observed, this does not justify the conclusion that all swans are white. -- Sir Karl Popper _Logic of Scientific Discovery_ http://www.donarmstrong.com http://rzlab.ucr.edu _______________________________________________ Spamass-milt-list mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/spamass-milt-list
