Date: Mon, 26 Nov 2001 12:21:08 +0200 From: Maxim Sobolev <sobomax@FreeBSD.org> To: "Jacques A. Vidrine" <n@nectar.com> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: projects/mfcns/handler MFCns_handler.py Message-ID: <3C021794.5E2937EE@FreeBSD.org> References: <200111250003.fAP03ZQ19248@freefall.freebsd.org> <20011125151432.GA630@shade.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jacques A. Vidrine" wrote: > > On Sat, Nov 24, 2001 at 04:03:35PM -0800, Maxim Sobolev wrote: > > sobomax 2001/11/24 16:03:35 PST > > > > Modified files: > > mfcns/handler MFCns_handler.py > > Log: > > Be more strict about what's allowed as a mail address to which notification > > is to be sent. Particularly, disallow any of the shell meta-characters, > > because this address is then passed to a system(3)-like routite, which > > potentially may be eploited to execute arbitrary commands on a system at > > which service is running. > > > > Revision Changes Path > > 1.11 +6 -0 projects/mfcns/handler/MFCns_handler.py > > Not that it probably matters much here, but this is a pet peeve of > mine: when applications disallow perfectly valid email addresses > because the author for whatever reason doesn't properly handle some > characters. This most often bites me whenever I use an address such > as <n+some-spam-tracking-id@nectar.com>. Often the `+' confuses the > script or is bounced outright. > > The following characters are all valid for the local part of an email > address: [a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-]. See RFC 822 (or 2822). In general I agree, but the "correct" solution would take some time to implement, while it was necessary to close potential vulnerability ASAP. Therefore, I decided to go that way, especially considering that so far we do not have any committers with "funny" characters in their handles. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C021794.5E2937EE>