>>>>> "m" == mhpower <mhpower@MIT.EDU> writes:
m> Using Majordomo 1.94.4, I noticed it was possible for a list owner to
m> subscribe the address :include:syslog to a list, e.g., I get:
Hmmm, that seems like a combination of several factors, some of which seem
to be of questionable security in their own right and having nothing to do
with Majordomo. Does sendmail really recursively expand include lists?
That seems like a bad thing. And putting the syslog data in the middle of
the mail queue seems quite questionable to me; I wouldn't put anything
there with a name that can be guessed at.
But here's a patch to try. I haven't tested it because I don't run
anything close to the stock sources, but it at least compiles and the
changes seem safe.
It also fixes a couple of minor bugs in the address checking code previously
reported (addresses without an @ and $a instead of $temp on two lines).
Trying :include: will fail in more than one way, but I put a hostile
address check in just in case. Pick whatever hunks please you.
--- majordomo.pl.orig Fri Dec 12 00:50:51 1997
+++ majordomo.pl Fri Dec 12 01:01:45 1997
@@ -544,6 +544,21 @@
return undef;
}
+ if ($temp =~ /[,;:]/) {
+ if (-e main'REPLY) {
+ print main'REPLY <<"EOM"
+**** The address you supplied, $_
+**** Does not seem to be a legal Internet address. It seems to have
+**** unquoted colons, commas, or semicolons.
+
+EOM
+
+ }
+ &main'log("WARNING", "Illegal chars in address: $_");
+ return undef;
+ }
+
+
# Deal with legal spaces in a stripped address, then check and reject
# any remaining space. Note that as I write this, the comment stripper
# ParseAddrs does not handle things like a quoted local part but I've
@@ -558,10 +573,10 @@
1 while $temp =~ s/\"(.*)\s(.*)\"/\"$1$2\"/g;
# This compresses space before dots or `@'s. " <- placate emacs' highlighting
- 1 while $a =~ s/\s(\.|@)/$1/g;
+ 1 while $temp =~ s/\s(\.|@)/$1/g;
# This compresses space after dots or `@'s.
- 1 while $a =~ s/(\.|@)\s/$1/g;
+ 1 while $temp =~ s/(\.|@)\s/$1/g;
# We've taken out all legitimate space from the address (yes, RFC822
# permits that kind of bogosity), so if the address has spaces, we have
@@ -586,14 +601,15 @@
return undef;
}
- # Look for addresses of the form rouilj@cs
- if (/\@/ && !/\./) {
+ # Addresses must have both an @ and a .
+ if (!(/\@/ && /\./)) {
if (-e main'REPLY) {
print main'REPLY <<"EOM";
**** The address you supplied, $_
**** is not a complete address. When providing an address, you must give
**** the full name of the machine including the domain part (like
-**** host.corp.com), not just the short name of the machine (just host).
+**** host.corp.com), not just your user name or your name and the short
+**** name of the machine (just user or user\@host is not legal).
EOM
}
@@ -614,6 +630,12 @@
if ( /\|/ || /^-/ ) {
&main'abort("HOSTILE ADDRESS (invalid first char or |) $addr"); #'
return undef;
+ }
+
+ # Some sendmails are dumb enough to do bad things with this
+ if (/\:include\:/) {
+ &main'abort("HOSTILE ADDRESS (tried to use :include: syntax) $addr"); #'
+ return undef;
}
if ( $addr eq $list ) {
--
Jason L. Tibbitts III - tibbs@uh.edu - 713/743-3486 - 622PGH
System Manager: University of Houston Department of Mathematics
1994 PC800 "Kuroneko" DoD# 1723
Follow-Ups:
References:
|
|
