[Mimedefang] Re: Filesystem based greylisting URL
Atanas
mimedefang at asd.aplus.net
Mon Aug 30 14:06:52 EDT 2004
On Fri, 27 Aug 2004, David F. Skoll wrote:
> Pretty cool. However, using user-supplied data to construct
> filenames worries me slightly. I can imagine an attacker
> doing something like:
>
> MAIL FROM:<foo///../../../../../../../../etc/mischief at domain.net>
>
Slashes should be already taken care of ($file =~ s/\///g;). Correct me
if I'm wrong, but I couldn't think about any other characters that would
be invalid in a UFS filename.
> I can't see any way to really exploit this, given that MIMEDefang should
> be running as the "defang" user, but still... I would sanitize the
incoming
> e-mail addresses,
>
I agree that better sanitizing (by removing any non-ASCII junk,
something like $file =~ s/[^<\w\@\.>-]//g;) won't hurt anything.
I hope sendmail also does some validation, but I'd not rely on that.
> or better yet, use a SHA1 hash rather than the actual
> address.
>
I wanted it simple. Using a hash (i.e. encrypting the greylist) would
limit the searching possibilities and make it harder to maintain and
troubleshoot.
For instance now I can list entries just by domain name with "ls -l
*/*domain1.com*". With encryption in place to do so I would need to know
also all sender, recipient and relay addresses of each email, perform a
hash lookup and list entries one by one.
Regards,
Atanas
More information about the MIMEDefang
mailing list