[Mimedefang] use strict
Kenneth Porter
shiva at sewingwitch.com
Wed Apr 13 23:16:14 EDT 2005
--On Wednesday, April 13, 2005 9:05 PM -0400 "David F. Skoll"
<dfs at roaringpenguin.com> wrote:
> Kenneth Porter wrote:
>
>> In addition to "use strict", does it make sense to use "-wT"?
>
> Taint-checking would probably cause lots of problems.
I just tested it by adding -wT to mimedefang.pl and the only error I got
was the "require $Filter". After untainting $Filter I could run
"mimedefang.pl -test" cleanly. If I leave this in, is there some other way
it can bite me that won't show up in a -test run?
Is taint-checking inherited by the required user script or do I need to
specify it again there?
>> (Presumably this would need to be in mimedefang.pl.) Could a hostile
>> sender effect a shell escape in a poorly-written filter?
>
> Well, by definition, a "poorly-written" filter can let a hostile
> sender do anything. :-) You could write a filter that executes
> the subjects of incoming e-mails as shell commands if you really
> wanted to.
<IncredulousOEUser>
That would be nifty!
</IncredulousOEUser>
;)
BTW, I added "use strict; use warnings;" to my filter and it turned up not
only my aforementioned bug but a couple more variables missing "my"
declarations (from the stock filter, $FoundVirus in filter_begin). Perhaps
you could add these at the top of the stock filter. This shouldn't cause
incompatibility since users have to migrate changes manually anyway.
More information about the MIMEDefang
mailing list