From owner-cvs-all  Wed Nov 28  2: 2: 4 2001
Delivered-To: cvs-all@freebsd.org
Received: from alcatraz.iptelecom.net.ua (alcatraz.iptelecom.net.ua [212.9.224.15])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9491337B419; Wed, 28 Nov 2001 02:01:46 -0800 (PST)
Received: from ipcard.iptcom.net (ipcard.iptcom.net [212.9.224.5])
	by alcatraz.iptelecom.net.ua (8.9.3/8.9.3) with ESMTP id MAA35799;
	Mon, 26 Nov 2001 12:19:04 +0200 (EET)
	(envelope-from sobomax@FreeBSD.org)
Received: from vega.vega.com (h113.229.dialup.iptcom.net [212.9.229.113])
	by ipcard.iptcom.net (8.9.3/8.9.3) with ESMTP id MAA09787;
	Mon, 26 Nov 2001 12:19:02 +0200 (EET)
	(envelope-from sobomax@FreeBSD.org)
Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1])
	by vega.vega.com (8.11.6/8.11.3) with ESMTP id fAQAIUY23780;
	Mon, 26 Nov 2001 12:18:30 +0200 (EET)
	(envelope-from sobomax@FreeBSD.org)
Message-ID: <3C021794.5E2937EE@FreeBSD.org>
Date: Mon, 26 Nov 2001 12:21:08 +0200
From: Maxim Sobolev <sobomax@FreeBSD.org>
Organization: Vega International Capital
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en,uk,ru
MIME-Version: 1.0
To: "Jacques A. Vidrine" <n@nectar.com>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: projects/mfcns/handler MFCns_handler.py
References: <200111250003.fAP03ZQ19248@freefall.freebsd.org> <20011125151432.GA630@shade.nectar.com>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

"Jacques A. Vidrine" wrote:
> 
> On Sat, Nov 24, 2001 at 04:03:35PM -0800, Maxim Sobolev wrote:
> > sobomax     2001/11/24 16:03:35 PST
> >
> >   Modified files:
> >     mfcns/handler        MFCns_handler.py
> >   Log:
> >   Be more strict about what's allowed as a mail address to which notification
> >   is to be sent. Particularly, disallow any of the shell meta-characters,
> >   because this address is then passed to a system(3)-like routite, which
> >   potentially may be eploited to execute arbitrary commands on a system at
> >   which service is running.
> >
> >   Revision  Changes    Path
> >   1.11      +6 -0      projects/mfcns/handler/MFCns_handler.py
> 
> Not that  it probably matters  much here, but this  is a pet  peeve of
> mine:  when  applications  disallow perfectly  valid  email  addresses
> because the  author for whatever  reason doesn't properly  handle some
> characters.  This most  often bites me whenever I use  an address such
> as <n+some-spam-tracking-id@nectar.com>.   Often the `+'  confuses the
> script or is bounced outright.
> 
> The following characters are all valid  for the local part of an email
> address: [a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-].  See RFC 822 (or 2822).

In general I agree, but the "correct" solution would take some time to
implement, while it was necessary to close potential vulnerability
ASAP. Therefore, I decided to go that way, especially considering that
so far we do not have any committers with "funny" characters in their
handles.

-Maxim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message