[imp] From line creation? (2.2.4)

Rich Lafferty rich@horde.org
Wed, 7 Feb 2001 13:49:27 -0500

Previous message: [imp] From line creation? (2.2.4)
Next message: sending mail revisited
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 07, 2001 at 12:28:11PM -0600, Marius Strom (marius@marius.org) wrote:
> Right, but that could easily be evaded by changing my From address to:
> marius@alpha1.net" ; <evil command here>.
> 
> There need to be some other heuristics (of which I don't possess,
> unfortunately) to validating email addresses..  Perhaps a regex search
> of through the email address of [^a-zA-Z0-9.@+] characters?

That'll break on legal addresses such as <*@qz.to>. Would addslashes()
solve the particularly evil cases?

  -Rich

-- 
------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Instructional and Information Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich@alcor.concordia.ca ----------------------


>From chuck@horde.org Date: Wed,  7 Feb 2001 13:52:06 -0500
Return-Path: <chuck@horde.org>
Mailing-List: contact imp-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list imp@lists.horde.org
Received: (qmail 44543 invoked from network); 7 Feb 2001 18:53:00 -0000
Received: from r94aag005136.sbo-smr.ma.cable.rcn.com (HELO marina.horde.org) (209.6.192.126)
  by horde.org with SMTP; 7 Feb 2001 18:53:00 -0000
Received: by marina.horde.org (Postfix, from userid 33)
	id 6132E39F4; Wed,  7 Feb 2001 13:52:06 -0500 (EST)
Received: from 206.243.191.252 ( [206.243.191.252])
	as user chuck@marina by marina.horde.org with HTTP;
	Wed,  7 Feb 2001 13:52:06 -0500
Message-ID: <981571926.3a81995607929@marina.horde.org>
Date: Wed,  7 Feb 2001 13:52:06 -0500
From: Chuck Hagenbuch <chuck@horde.org>
To: imp@lists.horde.org
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 2.3.7-cvs
Subject: Re: [imp] From line creation? (2.2.4)

Quoting Marius Strom <marius@marius.org>:

> Right, but that could easily be evaded by changing my From address to:
> marius@alpha1.net" ; <evil command here>.

Note that I said "I don't want to re-open any security holes" and haven't 
actually committed anything yet. I know there need to be other rules. I'm not 
going to blindly revert the change.

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"My intuitive grasp of math often leads me astray." -Me

Previous message: [imp] From line creation? (2.2.4)
Next message: sending mail revisited
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]