Date: Sun, 25 Nov 2001 09:14:33 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: Maxim Sobolev <sobomax@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: projects/mfcns/handler MFCns_handler.py Message-ID: <20011125151432.GA630@shade.nectar.com> In-Reply-To: <200111250003.fAP03ZQ19248@freefall.freebsd.org> References: <200111250003.fAP03ZQ19248@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 24, 2001 at 04:03:35PM -0800, Maxim Sobolev wrote:
> sobomax 2001/11/24 16:03:35 PST
>
> Modified files:
> mfcns/handler MFCns_handler.py
> Log:
> Be more strict about what's allowed as a mail address to which notification
> is to be sent. Particularly, disallow any of the shell meta-characters,
> because this address is then passed to a system(3)-like routite, which
> potentially may be eploited to execute arbitrary commands on a system at
> which service is running.
>
> Revision Changes Path
> 1.11 +6 -0 projects/mfcns/handler/MFCns_handler.py
Not that it probably matters much here, but this is a pet peeve of
mine: when applications disallow perfectly valid email addresses
because the author for whatever reason doesn't properly handle some
characters. This most often bites me whenever I use an address such
as <n+some-spam-tracking-id@nectar.com>. Often the `+' confuses the
script or is bounced outright.
The following characters are all valid for the local part of an email
address: [a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-]. See RFC 822 (or 2822).
Cheers,
--
Jacques A. Vidrine <n@nectar.com> http://www.nectar.com/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011125151432.GA630>