codekasten/ezmlm-web-ng/contrib-patches/ezmlm-pm-matt-simerson-20041115.txt

54 lines
2 KiB
Text

From sbeck@gossamer-threads.com Sat Oct 9 00:36:20 2004
Return-Path: <sbeck@gossamer-threads.com>
Delivered-To: guy-ezmlm@rucus.net
Received: (qmail 94672 invoked by uid 1025); 8 Oct 2004 22:36:20 -0000
Received: from sbeck@gossamer-threads.com by server.rucus.ru.ac.za by uid 82 with qmail-scanner-1.22
(clamdscan: 0.75.1. Clear:RC:0(64.69.64.21):.
Processed in 3.991777 secs); 08 Oct 2004 22:36:20 -0000
Received: from gossamer.nmsrv.com (HELO gossamer-threads.com) (64.69.64.21)
by server.rucus.ru.ac.za with SMTP; 8 Oct 2004 22:36:16 -0000
Received: (qmail 17647 invoked from network); 8 Oct 2004 22:36:00 -0000
X-AntiVirus: Clean
Received: from unknown (HELO sbeck) (sbeck@64.180.111.209)
by gossamer.nmsrv.com with (RC4-MD5 encrypted) SMTP; 8 Oct 2004 22:36:00 -0000
Subject: Mail::Ezmlm tainting
From: Scott Beck <sbeck@gossamer-threads.com>
To: Guy Antony Halse <guy-ezmlm@rucus.net>
Content-Type: text/plain
Organization: Gossamer Threads
Message-Id: <1097274969.15328.32.camel@sbeck.office.gossamer-threads.com>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6
Date: Fri, 08 Oct 2004 15:36:09 -0700
Content-Transfer-Encoding: 7bit
Status: RO
Content-Length: 810
Hi,
I just ran into a taint problem with Mail::Ezmlm on one of our servers.
In Mail/Ezmlm.pm you have a sub _checkaddress which validates an email
address that is passed off to system, however to just verify the address
is not enough for perl's -T tests. You must reassign it to a capture
from a regex. Here is a version of the function that fixes this (a
little hacky).
sub _checkaddress {
my($self, $address) = @_;
return 1 unless defined($address);
return 0 unless($address =~ /^(\S+\@\S+\.\S+)$/);
$_[1] = $1;
return 1;
}
Cheers,
Scott
--
-------------------- Gossamer Threads Inc. ----------------------
Scott Beck Email: scott@gossamer-threads.com
Lead Software Developer Phone: (604) 687-5804
http://www.gossamer-threads.com Fax: (604) 687-5806