on Tue, Apr 09, 2002, Matijs van Zuijlen (Matijs.van.Zuijlen@xs4all.nl) wrote:
> On Tue, Apr 09, 2002 at 03:50:54AM -0700, Karsten M. Self wrote:
> > :0:
> > * ^X-Mailing-List: <\/[^@<>]+
> > $LISTDIR/$MATCH/
>
> As has been noted[1] in another thread on the same subject on
> debian-devel: this is dangerous. Someone could just send an email with
>
> X-Mailing-List: <../something>
>
> in its headers to overwrite your file ~/something (and try other
> variations if that didn't work).
>
> [1] See:
> http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg02132.html
Good point. I was concerned about that...
Since it's matching on X-foo headers, it doens't have to pass RFC
822/2822 rules either.
What's a good regexp that will catch characters up to the '@' then?
* ^X-BeenThere: \/[^.@<>]+
...will at least prevent the parent directory trick. Is there a good
washer for something like this that can be put into procmail?
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
We freed Dmitry! Boycott Adobe! Repeal the DMCA!
http://www.freesklyarov.org
Attachment:
pgpMTt4hFuWuC.pgp
Description: PGP signature