[ Matt Power writes: ]
>
> Using Majordomo 1.94.4, I noticed it was possible for a list owner to
> subscribe the address :include:syslog to a list, e.g., I get:
>
> >>>> approve mylist.admin subscribe mylist :include:syslog
> Succeeded.
[ See original message for complete description of the problem. ]
Matt has verified that this patch rejects addresses the begin with
":include:".
--- majordomo.pl.orig Wed Aug 27 09:58:53 1997
+++ majordomo.pl Fri Dec 12 08:31:30 1997
@@ -493,11 +493,11 @@
}
# Check to see that this is a valid address.
-# A valid address is a single address with
-# no "|" in the address part. It may not start with a - either.
-# If it has a / in it, we use some heuristics to find out if the address
-# may be a file. Some other heuristics attempt to look for a valid X.400
-# address. This is not infalible.
+# A valid address is a single address with no "|" in the address part.
+# It may not start with a - or :include: either. If it has a / in it,
+# we use some heuristics to find out if the address may be a file. Some
+# other heuristics attempt to look for a valid X.400 address. This is
+# not infallible.
sub main'valid_addr {
local($addr, $list) = @_;
local(@addrs, $temp);
@@ -611,8 +611,8 @@
print STDERR "$0: valid_addr: comparing '$addr' to '$list'\n" if $DEBUG;
# XXX Should at least tell the user that there was a problem.
- if ( /\|/ || /^-/ ) {
- &main'abort("HOSTILE ADDRESS (invalid first char or |) $addr"); #'
+ if ( /\|/ || /^-/ || /^:include:/i ) {
+ &main'abort("HOSTILE ADDRESS (contains |, -, or :include:) $addr"); #'
return undef;
}
--
Dave Wolfe
References:
|
|
