[sork] Re: Alias security?
John Dalbec
jpdalbec at ysu.edu
Wed Apr 30 09:40:22 PDT 2003
Chuck Hagenbuch wrote:
> Quoting John Dalbec <jpdalbec at ysu.edu>:
>
>
>>Since the alias address gets passed to /usr/local/bin/vacation as an
>>argument, would it be wise to run it through escapeShellArg?
>
>
> Most likely. Patch?
This is against RELENG. Do you need HEAD?
John
>
> -chuck
>
> --
> Charles Hagenbuch, <chuck at horde.org>
> I guess you remind me I'm alive.
-------------- next part --------------
diff -urN vacation-RELENG.orig/lib/Driver/forwards.php vacation-RELENG/lib/Driver/forwards.php
--- vacation-RELENG.orig/lib/Driver/forwards.php Wed Feb 19 18:24:46 2003
+++ vacation-RELENG/lib/Driver/forwards.php Wed Apr 30 08:32:17 2003
@@ -226,12 +263,14 @@
}
// Now set up the .forward file
+ $esc_my_email = escapeShellArg($my_email);
if (!empty($alias) && ($alias != $my_email)) {
+ $esc_alias = escapeShellArg($alias);
$contents = "\\$my_email, \"|" . $conf['vacation']['path'] .
- " -a $alias $my_email\"";
+ " -a $esc_alias $esc_my_email\"";
} else {
$contents = "\\$my_email, \"|" . $conf['vacation']['path'] .
- " $my_email\"";
+ " $esc_my_email\"";
}
$myFile = $this->_writeTempFile($contents);
diff -urN vacation-RELENG.orig/lib/Driver/qmail.php vacation-RELENG/lib/Driver/qmail.php
--- vacation-RELENG.orig/lib/Driver/qmail.php Mon Jan 20 01:03:03 2003
+++ vacation-RELENG/lib/Driver/qmail.php Wed Apr 30 08:34:07 2003
@@ -143,12 +143,14 @@
}
// Now set up the .forward file
+ $esc_my_email = escapeShellArg($my_email);
if (!empty($alias) && ($alias != $my_email)) {
+ $esc_alias = escapeShellArg($alias);
$contents = "| " . $conf['vacation']['path'] .
- " -a $alias $my_email\n./Maildir/";
+ " -a $esc_alias $esc_my_email\n./Maildir/";
} else {
$contents = "| " . $conf['vacation']['path'] .
- " $my_email\n./Maildir/";
+ " $esc_my_email\n./Maildir/";
}
$status = $_vfs->writeData('', '.qmail', $contents);
if (PEAR::isError($status)) {
More information about the sork
mailing list