senselab/codekasten
4
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[ezmlm-web] directory structure

Browse source
This commit is contained in:
io 2005-01-26 01:26:27 +00:00
parent 7ab4285d69
commit c1c7ccc97a
54 changed files with 3948 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

79
ezmlm-web/contrib-patches/ignored/ezmlm-pm-jon-coulter-20040312.txt Normal file
View file

@ -0,0 +1,79 @@
From ledjon@ledjon.com Fri Mar 12 00:03:27 2004
Return-Path: <ledjon@ledjon.com>
Delivered-To: guy-ezmlm@rucus.ru.ac.za
Received: (qmail 56152 invoked by uid 1025); 11 Mar 2004 22:03:27 -0000
Received: (qmail-scanner-1.20rc3 56151 invoked by uid 82); 11 Mar 2004 22:03:27 -0000
Received: from 69-56-199-178.theplanet.com (HELO wylde.ledhosting.com) (69.56.199.178)
by server.rucus.ru.ac.za with SMTP; 11 Mar 2004 22:03:24 -0000
Received: (qmail 25788 invoked from network); 11 Mar 2004 17:03:18 -0500
Received: from atlnga1-ar3-4-64-009-109.atlnga1.dsl-verizon.net (HELO page) (4.64.9.109)
by 69-56-199-178.theplanet.com with SMTP; 11 Mar 2004 17:03:18 -0500
From: "Jon Coulter" <ledjon@ledjon.com>
To: <guy-ezmlm@rucus.ru.ac.za>
Subject: Mail::Ezmlm Patch
Date: Thu, 11 Mar 2004 17:03:24 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0000_01C4078A.C44C42F0"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcQHtKkecjFWE5llQ6aIAIPcXCJAog==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Qmail-Scanner-Message-ID: <107904260763856141@server.rucus.ru.ac.za>
Status: RO
Content-Length: 1642
This is a multi-part message in MIME format.
------=_NextPart_000_0000_01C4078A.C44C42F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Your (quite wonderful) Mail::Ezmlm perl module has a bug in that I patched
some time ago for my own use, so I figured I'd go ahead and send it along to
you.
Basically it does something to the effect of 'return @array || undef' which
forces a scalar return (making it return @array as the number of items in
the array, rather then the items themselves)
This just replaces it with a trinary operator.
Feel free to use or ignore it at your own will. Thanks.
Jon Coulter
ledjon@ledjon.com
------=_NextPart_000_0000_01C4078A.C44C42F0
Content-Type: application/octet-stream;
name="Ezmlm.pm.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="Ezmlm.pm.patch"
*** /usr/lib/perl5/site_perl/5.8.0/Mail/Ezmlm.pm~ Wed Jul 16 00:44:01 =
2003=0A=
--- /usr/lib/perl5/site_perl/5.8.0/Mail/Ezmlm.pm Wed Jul 16 00:54:22 2003=0A=
***************=0A=
*** 245,251 ****=0A=
=0A=
if($?) {=0A=
$self->_seterror($?, 'error during ezmlm-list in =
subscribers()'); =0A=
! return @subscribers || undef;=0A=
} else {=0A=
$self->_seterror(undef);=0A=
return @subscribers; =0A=
--- 245,251 ----=0A=
=0A=
if($?) {=0A=
$self->_seterror($?, 'error during ezmlm-list in =
subscribers()'); =0A=
! return (scalar @subscribers ? @subscribers : undef);=0A=
} else {=0A=
$self->_seterror(undef);=0A=
return @subscribers; =0A=
------=_NextPart_000_0000_01C4078A.C44C42F0--

52
ezmlm-web/contrib-patches/ignored/ezmlm-pm-lars-braeuer-20040305.txt Normal file
View file

@ -0,0 +1,52 @@
From lbraeuer@mpex.net Fri Mar 5 17:03:07 2004
Return-Path: <lbraeuer@mpex.net>
Delivered-To: guy-ezmlm@rucus.net
Received: (qmail 49433 invoked by uid 1025); 5 Mar 2004 15:03:07 -0000
Received: (qmail-scanner-1.20rc3 49432 invoked by uid 82); 05 Mar 2004 15:03:07 -0000
Received: from endo.mpex.net (80.190.108.11)
by server.rucus.ru.ac.za with SMTP; 5 Mar 2004 15:03:04 -0000
Received: (qmail 21499 invoked by uid 509); 5 Mar 2004 15:02:59 -0000
Received: from unknown (HELO mpex.net) (217.225.11.124)
by 0 with SMTP; 5 Mar 2004 15:02:59 -0000
Message-ID: <404896A9.8030606@mpex.net>
Date: Fri, 05 Mar 2004 16:03:05 +0100
From: Lars Braeuer <lbraeuer@mpex.net>
Organization: MPeX.net GmbH
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: de, en-us, en
MIME-Version: 1.0
To: guy-ezmlm@rucus.net
Subject: Bug + fix in ezmlm.pm 0.04
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Status: RO
Content-Length: 1010
Addition: Just found out, that there's the same bug on line 138!
---------------
Hi Guy!
I just posted this on cpan, but I also wanted to let you know:
----------------
http://rt.cpan.org/NoAuth/Bug.html?id=5571
----------------
Subject: Problem with dash in owner or sender address
In Ezmlm.pm 0.04 on line 85 the options are split at every dash ("-\w+"). So when trying to supply
an owner or sender address containing a dash i.e. someone@some-domain.com this domain is splitted in
two parts ("someone@some" and "-domain.com") causing this error: "ezmlm-make: fatal: dir and dot
must start with slash". This occurs because "-domain.com" is interpreted as an option which is of
course wrong.
This problem can be solved by adding a \s right in front of the -\w+ on line 85 of the module:
--- foreach (split(/["'](.+?)["']|(-\w+)/, $commandline)) {
+++ foreach (split(/["'](.+?)["']|(\s-\w+)/, $commandline)) {
This assures, that an option is split and not every occurence of a dash, even in a domain.

54
ezmlm-web/contrib-patches/ignored/ezmlm-pm-matt-simerson-20041115.txt Normal file
View file

@ -0,0 +1,54 @@
From sbeck@gossamer-threads.com Sat Oct 9 00:36:20 2004
Return-Path: <sbeck@gossamer-threads.com>
Delivered-To: guy-ezmlm@rucus.net
Received: (qmail 94672 invoked by uid 1025); 8 Oct 2004 22:36:20 -0000
Received: from sbeck@gossamer-threads.com by server.rucus.ru.ac.za by uid 82 with qmail-scanner-1.22
(clamdscan: 0.75.1. Clear:RC:0(64.69.64.21):.
Processed in 3.991777 secs); 08 Oct 2004 22:36:20 -0000
Received: from gossamer.nmsrv.com (HELO gossamer-threads.com) (64.69.64.21)
by server.rucus.ru.ac.za with SMTP; 8 Oct 2004 22:36:16 -0000
Received: (qmail 17647 invoked from network); 8 Oct 2004 22:36:00 -0000
X-AntiVirus: Clean
Received: from unknown (HELO sbeck) (sbeck@64.180.111.209)
by gossamer.nmsrv.com with (RC4-MD5 encrypted) SMTP; 8 Oct 2004 22:36:00 -0000
Subject: Mail::Ezmlm tainting
From: Scott Beck <sbeck@gossamer-threads.com>
To: Guy Antony Halse <guy-ezmlm@rucus.net>
Content-Type: text/plain
Organization: Gossamer Threads
Message-Id: <1097274969.15328.32.camel@sbeck.office.gossamer-threads.com>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6
Date: Fri, 08 Oct 2004 15:36:09 -0700
Content-Transfer-Encoding: 7bit
Status: RO
Content-Length: 810
Hi,
I just ran into a taint problem with Mail::Ezmlm on one of our servers.
In Mail/Ezmlm.pm you have a sub _checkaddress which validates an email
address that is passed off to system, however to just verify the address
is not enough for perl's -T tests. You must reassign it to a capture
from a regex. Here is a version of the function that fixes this (a
little hacky).
sub _checkaddress {
my($self, $address) = @_;
return 1 unless defined($address);
return 0 unless($address =~ /^(\S+\@\S+\.\S+)$/);
$_[1] = $1;
return 1;
}
Cheers,
Scott
--
-------------------- Gossamer Threads Inc. ----------------------
Scott Beck Email: scott@gossamer-threads.com
Lead Software Developer Phone: (604) 687-5804
http://www.gossamer-threads.com Fax: (604) 687-5806

193
ezmlm-web/contrib-patches/ignored/ezmlm-pm-scott-beck-20041009.txt Normal file
View file

@ -0,0 +1,193 @@
From matt@tnpi.biz Mon Nov 15 21:21:15 2004
Return-Path: <matt@tnpi.biz>
Delivered-To: guy@rucus.ru.ac.za
Received: (qmail 48783 invoked by uid 1025); 15 Nov 2004 19:21:15 -0000
Received: from matt@tnpi.biz by server.rucus.ru.ac.za by uid 82 with qmail-scanner-1.22
(clamdscan: 0.75.1. Clear:RC:0(207.89.154.94):.
Processed in 2.727858 secs); 15 Nov 2004 19:21:15 -0000
Received: from matt-serv2.cdlc.mi.core.com (HELO mail.cadillac.net) (207.89.154.94)
by server.rucus.ru.ac.za with SMTP; 15 Nov 2004 19:21:12 -0000
Received: (qmail 5634 invoked by uid 89); 15 Nov 2004 19:21:06 -0000
Received: from unknown (HELO ?10.0.1.218?) (matt@cadillac.net@10.0.1.218)
by matt-serv2.cdlc.mi.core.com with (RC4-SHA encrypted) SMTP; 15 Nov 2004 19:21:06 -0000
Mime-Version: 1.0 (Apple Message framework v619)
To: guy@rucus.ru.ac.za
Message-Id: <7D5CC579-373B-11D9-A43C-000A95A797A8@tnpi.biz>
Content-Type: multipart/mixed; boundary=Apple-Mail-5--167304881
From: Matt Simerson <matt@tnpi.biz>
Subject: Mail::Ezmlm patch submission
Date: Mon, 15 Nov 2004 14:21:02 -0500
X-Mailer: Apple Mail (2.619)
Status: RO
Content-Length: 6582
--Apple-Mail-5--167304881
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
Hey Guy,
First, thanks a bunch for writing Mail::Ezmlm, it's quite useful. :-)
I've used it to write a CGI interface to Ezmlm for a client. It's not a
very complex thing, it just creates a web page where the client logs in
and then has the choice to list the subscribers for a list, batch add a
list of subscribers, or mass delete a list.
It's posted here if you're interested in seeing it:
https://mail.cadillac.net/ezmlm.cgi
You can log in using the domain "example.com" and the password
"guyrucus".
Anyhow, the only problem I've had with Mail::Ezmlm is that when I run
my script suid as the user that owns the mailing list, mod_perl whines
about the data because it's tainted. So, I've made a few minor
alterations to untaint the data. My approach is rather basic and could
be improved upon but it works quite well and is slightly more secure
than what's being used at present. I'd appreciate if you'd review the
patch and apply it or something similar which achieves the same result.
The patch is against v 1.9 of Mail::Ezmlm.
--Apple-Mail-5--167304881
Content-Type: multipart/appledouble;
boundary=Apple-Mail-6--167304881
Content-Disposition: attachment
--Apple-Mail-6--167304881
Content-Transfer-Encoding: base64
Content-Type: application/applefile;
name="Ezmlm.pm.patch"
Content-Disposition: attachment;
filename=Ezmlm.pm.patch
AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAA4AAAACAAAA
VgAABq5URVhUUipjaAAARXptbG0ucG0ucGF0Y2gAAAEAAAAGaAAABWgAAABGAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAASAAJTW9uYWNvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAEAEIACgR0AooAQgAKBHQC
ir2+Z3QAAAFTAAABUwAAAAABAAAABRhSKmNoAIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQdDb3VyaWVyAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAACgAAAAQJSGVsdmV0aWNhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADENvbmZpZGVudGlhbAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAQAAAQAAAQAAAIAAAACAAAAAgAAAAIAAAAAAAAABAQABAAEAAAAAAwBQ
AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACW1hY2ludG9zaAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAQAAAAZoAAAFaAAAAEYAZdCMAlUAAAAcAEYAAU1QU1IAAAASQkJT
VAAAAB4D7f//AAAAAAB/K8AAgP//AAAATAB/K9A=
--Apple-Mail-6--167304881
Content-Transfer-Encoding: 7bit
Content-Type: application/text;
x-mac-type=54455854;
x-unix-mode=0644;
x-mac-creator=522A6368;
name="Ezmlm.pm.patch"
Content-Disposition: attachment;
filename=Ezmlm.pm.patch
--- Ezmlm.pm.orig Sat Nov 13 13:38:59 2004
+++ Ezmlm.pm Mon Nov 15 13:44:35 2004
@@ -236,6 +236,16 @@
my($self, $part) = @_;
my(@subscribers);
($self->_seterror(-1, 'must setlist() before returning subscribers()') && return undef) unless(defined($self->{'LIST_NAME'}));
+
+ # additions by matt simerson (matt@tnpi.biz) to pass mod_perl security (taint) checks
+ $ENV{"PATH"} = "";
+ if ( $self->{'LIST_NAME'} =~ /([\w\-\/.]*)/ ) {
+ $self->{'LIST_NAME'} = $1;
+ } else {
+ warn "TAINTED DATA IN LIST_NAME: $self->{'LIST_NAME'}\n";
+ };
+ # end additions
+
if(defined($part) && $part) {
($self->_seterror(-1, "$part part of $self->{'LIST_NAME'} does not appear to exist in subscribers()") && return undef) unless(-e "$self->{'LIST_NAME'}/$part");
@subscribers = map { s/[\r\n]// && $_ } sort `$EZMLM_BASE/ezmlm-list $self->{'LIST_NAME'}/$part`;
@@ -270,6 +280,19 @@
} else {
foreach $address (@addresses) {
next unless $self->_checkaddress($address);
+
+ # matt adds
+ $ENV{"PATH"} = ""; # taint checks
+
+ if ( $self->{'LIST_NAME'} =~ /([\w\-\/.]*)/ ) {
+ $self->{'LIST_NAME'} = $1;
+ } else {
+ warn "TAINTED DATA IN LIST_NAME: $self->{'LIST_NAME'}\n";
+ };
+
+ if ( $address =~ /(.*)/ ) { $address = $1 };
+ # end matt adds
+
system("$EZMLM_BASE/ezmlm-sub", $self->{'LIST_NAME'}, $address) == 0 ||
($self->_seterror($?) && return undef);
}
@@ -322,6 +345,16 @@
} else {
foreach $address (@addresses) {
$ENV{'SENDER'} = $address;
+
+ # matt adds
+ $ENV{"PATH"} = ""; # taint checks
+ if ( $self->{'LIST_NAME'} =~ /([\w\-\/.]*)/ ) {
+ $self->{'LIST_NAME'} = $1;
+ } else {
+ warn "TAINTED DATA IN LIST_NAME: $self->{'LIST_NAME'}\n";
+ };
+ # end matt adds
+
undef($issub) if ((system("$EZMLM_BASE/ezmlm-issubn", $self->{'LIST_NAME'}) / 256) != 0)
}
}
--Apple-Mail-6--167304881--
--Apple-Mail-5--167304881
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
Matt
``````````````````````````````````````````````````````````````````
Matt Simerson http://matt.simerson.net
The Network People Inc. http://www.tnpi.biz
The chief danger in life is that you may take too many precautions.
- Alfred Adler
``````````````````````````````````````````````````````````````````
--Apple-Mail-5--167304881--

67
ezmlm-web/contrib-patches/ignored/ezmlm-web-andrew-pam-20040526.txt Normal file
View file

@ -0,0 +1,67 @@
From xanni@urYod.glasswings.com.au Wed May 26 10:27:04 2004
Return-Path: <xanni@urYod.glasswings.com.au>
Delivered-To: guy-ezmlm@rucus.ru.ac.za
Received: (qmail 95684 invoked by uid 1025); 26 May 2004 08:27:04 -0000
Received: (qmail-scanner-1.22 95683 invoked by uid 82); 26 May 2004 08:27:04 -0000
Received: from mail018.syd.optusnet.com.au (211.29.132.72)
by server.rucus.ru.ac.za with SMTP; 26 May 2004 08:26:58 -0000
Received: from urYod.glasswings.com.au (c211-28-208-136.eburwd1.vic.optusnet.com.au [211.28.208.136])
by mail018.syd.optusnet.com.au (8.11.6p2/8.11.6) with ESMTP id i4Q8QmD27299
for <guy-ezmlm@rucus.ru.ac.za>; Wed, 26 May 2004 18:26:49 +1000
Received: from urYod.glasswings.com.au (localhost.localdomain [127.0.0.1])
by urYod.glasswings.com.au (8.12.10/8.12.10) with ESMTP id i4Q8QlgD004619
for <guy-ezmlm@rucus.ru.ac.za>; Wed, 26 May 2004 18:26:47 +1000
Received: (from xanni@localhost)
by urYod.glasswings.com.au (8.12.10/8.12.10/Submit) id i4Q8Qljs004617
for guy-ezmlm@rucus.ru.ac.za; Wed, 26 May 2004 18:26:47 +1000
Date: Wed, 26 May 2004 18:26:47 +1000
From: Andrew Pam <xanni@glasswings.com.au>
To: guy-ezmlm@rucus.ru.ac.za
Subject: Another ezmlm-web patch
Message-ID: <20040526082647.GN1975@urYod.glasswings.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
X-Face: ="NXL=B\E?60DRs]*]Mp-[@,"/\ESi&5s~&qMPLKzyWqo*<)SiE$IykXoakjYA62"oQT_.0I-i:nay>Pg]I{>J&dN(D<]F}+eaMSI=Kv]<L%q>fr7.e;3u(e1ZlP^C>pRxW*sJEgdAevnn^/D{Eg[f
Status: RO
Content-Length: 1682
Hello! I recently upgraded my system from Red Hat Linux 7.3 to
Fedora Core 1 which in turn resulted in upgrading my perl to 5.8.3.
This revealed a nasty security bug in Mail::Ezmlm which of course affects
ezmlm-web.cgi and is detected by perl when running SUID. Mail::Ezmlm
passes email addresses to the ezmlm tools on the command line using the
"system" perl function, but doesn't check that the email addresses are
free of dangerous characters. Here's a patch to ezmlm-web.cgi to make
it check for valid characters before calling Mail::Ezmlm:
--- ezmlm-web.cgi.orig 2000-09-26 06:58:08.000000000 +1100
+++ ezmlm-web.cgi 2004-05-26 17:54:30.000000000 +1000
@@ -477,7 +477,14 @@
untie %pretty;
}
- if ($list->sub($add->address(), $part) != 1) {
+# Modified 2004-05-26 by Andrew Pam <xanni@sericyb.com.au>
+# Untaint the address because $list->sub will pass it to ezmlm-sub
+# on the command line!
+# Note this may not handle some less common email address formats
+ my($addr) = $add->address() =~ /([\w\.\=]+\@[\w\.\=]+)/
+ or die "Illegal character in address '" . $add->address() ."'";
+# if ($list->sub($add->address(), $part) != 1) {
+ if ($list->sub($addr, $part) != 1) {
die "Unable to subscribe to list: $!";
}
$count++;
Of course arguably Mail::Ezmlm should really be doing this.
Cheers,
Andrew
--
mailto:xanni@xanadu.net Andrew Pam
http://www.xanadu.com.au/ Chief Scientist, Xanadu
http://www.glasswings.com.au/ Technology Manager, Glass Wings
http://www.sericyb.com.au/ Manager, Serious Cybernetics

67
ezmlm-web/contrib-patches/ignored/ezmlm-web-gordon-rowell-20011024.txt Normal file
View file

@ -0,0 +1,67 @@
From gordonr@e-smith.com Wed Oct 24 08:10:56 2001
Return-Path: <gordonr@e-smith.com>
Delivered-To: guy-ezmlm@rucus.ru.ac.za
Received: (qmail 18972 invoked from network); 24 Oct 2001 06:10:56 -0000
Received: from terrapin.ru.ac.za (146.231.128.6)
by rucus.ru.ac.za with SMTP; 24 Oct 2001 06:10:56 -0000
Received: from cpe-144-132-208-16.nsw.bigpond.net.au ([144.132.208.16] helo=icedvovo.sydney.e-smith.com)
by terrapin.ru.ac.za with smtp (Exim 3.32 #1)
id 15wHFE-000C6Z-00
for guy-ezmlm@rucus.ru.ac.za; Wed, 24 Oct 2001 08:10:29 +0200
Received: (qmail 19833 invoked by uid 500); 24 Oct 2001 06:10:53 -0000
MBOX-Line: From gordonr@e-smith.com Wed Oct 24 16:10:53 2001
Date: Wed, 24 Oct 2001 16:10:53 +1000
From: Gordon Rowell <gordonr@e-smith.com>
To: Guy Antony Halse <guy-ezmlm@rucus.ru.ac.za>
Subject: ezmlm-web 2.1 patch - if you can't create lists, you can't delete them
Message-ID: <20011024161053.U8219@e-smith.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Organization: Mitel Networks Corporation
Status: RO
Content-Length: 1758
Lines: 40
Hi Guy,
I'm in process of integrating ezmlm-web with our SME Server V5 product - see
www.e-smith.{com,org}. I did a quick and dirty proof of concept contrib to
integrate ezmlm, and am now revising it around ezmlm-web - great stuff.
It fits in very well with our manager. I have a small shim to create
and delete lists which ensures that the list is known to our account
namespace. I wanted to ensure that people couldn't delete lists without
our manager knowing about it. The patch below also disables list deletion
if you have disabled list creation. You may want another switch, but
overloading opt_c seemed right to me.
BTW: I am also making use of Mail::Ezmlm, which is great, so you're not the
only one who thinks it's a good idea :-)
Also, I'll be building an RPM out of ezmlm-web which I'll make available
once I've done it.
Gordon
--
Gordon Rowell gordonr@e-smith.com
VP Engineering
Network Server Solutions Group http://www.e-smith.com
Mitel Networks Corporation http://www.mitel.com
---CUT HERE------CUT HERE------CUT HERE------CUT HERE---
[gordonr@sao]$ diff -u ezmlm-web.cgi.orig ezmlm-web.cgi
--- ezmlm-web.cgi.orig Tue Sep 26 06:58:08 2000
+++ ezmlm-web.cgi Wed Oct 24 16:05:08 2001
@@ -287,7 +287,7 @@
print $q->submit(-name=>'action', -value=>"[$BUTTON{'create'}]"), ' ' if (!defined($opt_c));
print $q->submit(-name=>'action', -value=>"[$BUTTON{'edit'}]"), ' ' if(defined(@lists));
- print $q->submit(-name=>'action', -value=>"[$BUTTON{'delete'}]") if(defined(@lists));
+ print $q->submit(-name=>'action', -value=>"[$BUTTON{'delete'}]") if ((!defined($opt_c)) && (defined(@lists)));
print '</TD></TR><TR><TD> </TD></TR></TABLE></CENTER>';
print $q->endform;
}