[Mimedefang] SA "Whitelist_to"?
David F. Skoll
dfs at roaringpenguin.com
Wed May 29 12:42:26 EDT 2002
On Wed, 29 May 2002, Ben Kadish wrote:
> Added to filter_begin:
> $SAskip = 0;
> @SAskipaddrs = ("addr1 at to.skip");
Minor Perl syntax gotcha: You have to use single-quotes (because of the '@')
(Did I ever mention that I hate Perl? :-))
> for $rec (@Recipients) {
> for $addr (@SAskipaddrs) {
> if ($addr =~ m/$rec/) { $SAskip = 1 };
Using a regexp like this is bad, because you have no control over
$rec, so an attacker might be able to force a match or do other bad
things (eg, a regexp which is incorrect which causes your filter to
fail.) What you want is:
loop:
for $rec (@Recipients) {
# Strip potential angle brackets
$rec =~ tr/<>//d;
for $addr (@SAskipaddrs) {
if ($addr eq $rec) {
$SAskip = 1;
last loop;
}
}
}
You want the address to match completely, allowing for possible
angle-brackets. It's not very safe to use regexps on e-mail addresses
because they often contain metacharacters (like dots.)
No doubt macho Perl hackers can write the entire loop in a single
statement...
> if ($Features{"SpamAssassin"}) {
> if ((-s "./INPUTMSG" < 256*1024) && ($SAskip == 0))
That's fine.
Regards,
David.
More information about the MIMEDefang
mailing list