[Mimedefang] SA "Whitelist_to"?

David F. Skoll dfs at roaringpenguin.com
Wed May 29 12:42:26 EDT 2002


On Wed, 29 May 2002, Ben Kadish wrote:

> Added to filter_begin:

>      $SAskip = 0;
>      @SAskipaddrs = ("addr1 at to.skip");

Minor Perl syntax gotcha:  You have to use single-quotes (because of the '@')
(Did I ever mention that I hate Perl? :-))

>      for $rec (@Recipients) {
>          for $addr (@SAskipaddrs) {
>              if ($addr =~ m/$rec/) { $SAskip = 1 };

Using a regexp like this is bad, because you have no control over
$rec, so an attacker might be able to force a match or do other bad
things (eg, a regexp which is incorrect which causes your filter to
fail.)  What you want is:

loop:
	for $rec (@Recipients) {
		# Strip potential angle brackets
		$rec =~ tr/<>//d;
		for $addr (@SAskipaddrs) {
			if ($addr eq $rec) {
				$SAskip = 1;
				last loop;
			}
		}
	}

You want the address to match completely, allowing for possible
angle-brackets.  It's not very safe to use regexps on e-mail addresses
because they often contain metacharacters (like dots.)

No doubt macho Perl hackers can write the entire loop in a single
statement...

> if ($Features{"SpamAssassin"}) {
>          if ((-s "./INPUTMSG" < 256*1024) && ($SAskip == 0))

That's fine.

Regards,

David.




More information about the MIMEDefang mailing list