Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Nov 2001 12:21:08 +0200
From:      Maxim Sobolev <sobomax@FreeBSD.org>
To:        "Jacques A. Vidrine" <n@nectar.com>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: projects/mfcns/handler MFCns_handler.py
Message-ID:  <3C021794.5E2937EE@FreeBSD.org>
References:  <200111250003.fAP03ZQ19248@freefall.freebsd.org> <20011125151432.GA630@shade.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Jacques A. Vidrine" wrote:
> 
> On Sat, Nov 24, 2001 at 04:03:35PM -0800, Maxim Sobolev wrote:
> > sobomax     2001/11/24 16:03:35 PST
> >
> >   Modified files:
> >     mfcns/handler        MFCns_handler.py
> >   Log:
> >   Be more strict about what's allowed as a mail address to which notification
> >   is to be sent. Particularly, disallow any of the shell meta-characters,
> >   because this address is then passed to a system(3)-like routite, which
> >   potentially may be eploited to execute arbitrary commands on a system at
> >   which service is running.
> >
> >   Revision  Changes    Path
> >   1.11      +6 -0      projects/mfcns/handler/MFCns_handler.py
> 
> Not that  it probably matters  much here, but this  is a pet  peeve of
> mine:  when  applications  disallow perfectly  valid  email  addresses
> because the  author for whatever  reason doesn't properly  handle some
> characters.  This most  often bites me whenever I use  an address such
> as <n+some-spam-tracking-id@nectar.com>.   Often the `+'  confuses the
> script or is bounced outright.
> 
> The following characters are all valid  for the local part of an email
> address: [a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-].  See RFC 822 (or 2822).

In general I agree, but the "correct" solution would take some time to
implement, while it was necessary to close potential vulnerability
ASAP. Therefore, I decided to go that way, especially considering that
so far we do not have any committers with "funny" characters in their
handles.

-Maxim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C021794.5E2937EE>