From: Jozsef Kadlecsik (no email)
Date: Thu Aug 01 2002 - 06:12:24 EDT
On Fri, 26 Jul 2002, Wietse Venema wrote:
> > > I recommend the following principle: don't macro expand data from
> > > the network - not from the DNS, and not from the client. This means
> > > allow only limited use of regexp/pcre maps.
> >
> > Yes, that's the proper way to deal with uncontrolled data.
> >
> > Do you object the non-recursive macro expansion of variables,
> > which stores data received from the network (DNS, client) too?
>
> There are two issues at work. Be sure not to confuse the two.
>
> The issue I refer to is giving an unauthorized user control over
> macro NAMES (or map names etc.). That is always wrong.
The bug falled into this category. I overlooked that postfix itself
"evaluates" client/SMTP parameters in the returned messages and originally
all of them was subject to macro expansion. Thus it resulted a second
turn in the evaluation when the client supplied parameters like '$foo'.
The fix was to strictly restrict macro expansion for the text returned by
table lookups.
> The issue you are referring to is more general, and is about USING
> information that was supplied by an unauthorized user. My answer
> to that is: very, very, carefully.
There are two kind of macro expansions introduced into smtpd by the patch:
- evaluation of the error messages returned by table lookups:
it is practically equivalent how postfix standard error messages are
created
- special table lookup with the syntax
check_access <macro expression> maptype:mapfile
which is again equivalent with a standard postfix table lookup.
["equivalent" in the sense how the user input parameters are used.]
Regards,
Jozsef
-
E-mail : ,
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users
|
|
|