[sork] Re: Horde .forward interface

Eric Rostetter eric.rostetter@physics.utexas.edu
Tue, 20 Aug 2002 14:30:15 -0500


Quoting Myke Place <mp@xmission.com>:

> Hi Eric,

Hi.  Hope you don't mind, I'm CC'ing this to the mailing list as I 
think it would be of general interest.

> I'm planning to implement your code to set .forward files at the ISP where
> I work. I'm pretty much a PHP newb (although I'm becoming converted, heh).

Sounds good.

> I'm trying to add functionality that would prevent a user from creating a
> .forward file with a pipe command ala '|/bin/sh' or whatever. Before I

Ah, interesting.  That could probably be added, as a configuration option.

>From a security point of view, you would be much better off restricting
this at the MTA (sendmail, etc) or what ever is doing the forwarding
(procmail, etc).  But, if you are already blocking it at the MTA or 
other level, then there is no point letting them set it up in the first
place -- why allow them to set something you know will fail?

Also, it made me think about another problem.  If they check the box to keep
a local copy, it adds the needed code to the end of the user input.  This
is wrong, as special characters before that could make it not act as needed.
The fix is simple, simple add the code to the start of the string instead
of the end of the string...

> begin however, I wanted to check with you and see if you had any exisiting
> plans to put anything like that in place or if you are planning on
> implementing any other forms of sanity checking on the email address form.

I have nothing ready to go, but I'd like to add checks.

> Also, could you provide some pointers on where to start? I'm looking in

Depends on what you want to do. Some choices are:

1) Call something like escapeshellcmd() on either $forwardwhere in main.php
   or in $where/$address in lib/Driver/forwards.php.  This prevents things
   from executing, but doesn't give the user any feedback.  Also, the
   escapeshellcmd() call will quote valid email characters like <> characters,
   but none of the other built-ins will quote enough characters.  So you 
   may need to write something more specific, or maybe locate a Horde 
   routine that may help?

2) Have main.php inspect $forwardwhere, search for bad characters, and
   reject addresses with those characters.  Stops the use of them, and 
   gives feedback.  This is a more generic solution.  But it also means
   that it would apply to all backend drivers, and hence might cause 
   problems if we were to add a backend driver that required any of the
   special characters we are filtering.

3) Same as #2 but do it in the driver backend file rather than in main.php.

> driver.php but I'm not sure if that would be the place to add this or if I
> should be doing it in main.php where it checks to see if there is anything
> in the form at all. Like I said I'm a PHP newb so any pointers would be
> appreciated. Thanks Eric.

It's kind of complicated.  Above are three options.  Option #1 is probably
not the best.  But #2 and #3 both have advantages and disadvantages.

Maybe others on the list can help with their ideas/opinions/votes???
 
> --------------------
> Myke Place
> mp@xmission.com
> 801.539.0852
> www.radiojournal.org


-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.