>>>>> "DW" == Dave Wolfe <dwolfe@risc.sps.mot.com> writes:
DW> Repeating the message for each list examined seems to me to be a
DW> security leak in itself.
A minor one at that, but a security leak nonetheless.
DW> After looking at it (do_which in majordomo), I'm
DW> confused. $per_list_hits is never reset, so it seems to be misnamed and
DW> is really no different than $count.
I believe it's there so that in the future it can be reset as a per-list
value. This is really a sticky issue, though.
DW> If the intention was to have $max_which_hits be a maximum number of
DW> hits *per list*, then $per_list_hits needs to be reset before entering
DW> the 'while (<LIST>)' loop. This seems to be what's implied by the
DW> comments in sample.cf ("Arguably this should be a per list settable
DW> number.")
Right. I think the code in there was added in order to have something that
works; the major hole is now plugged and we are free to refine it.
DW> Also, setting $max_which_hits = 0 disables the test. Was that
DW> intentional?
Yes. Isn't that documented? I thought it was, but I guess it isn't.
This is all easily fixable, but we need to beat out the proper workings
before we do anything about it.
The big problem with which is that you use it either because you want to
spam or because you simply don't know which address you are subscribed
under. I'm all for stopping the first, but placing too many restrictions
makes it difficult to do the second, because things like which_access =
closed would defeat the purpose.
Comments? I'm kind of out of the loop here because I just use grep.
People who don't have that luxury should have much more to say.
- J<
References:
|
|
