|
On Wednesday 09 March 2005 10:42 am, Calin A. Culianu wrote: > On Wed, 9 Mar 2005, Jeremy Kitchen wrote: > > [...] > > > well, I know they'll probably tell you that the %f flag won't be > > resurrected.. but it might be kinda nice to add the filename to an > > environment variable that the script can use... > > Ooooh that would be nice! Can I do that? Please?! Pretty please?! Would > such a patch be considered?? I would find that _extremely_ useful!! > > (Then of course there still is a vulnerability if the script-writer isn't > careful with his $Variable -- he really needs to properly quote it..) yea but environment variable substitution in a shell is a lot easier to make 'secure' (just put quotes around it) than arbitrary string substition in a command line. Shouldn't be overly difficult to set an environment variable with the filename before calling the event program. Plus, most people are probably going to be sending an email with the script, so something like: qmail-inject -f [EMAIL PROTECTED] [EMAIL PROTECTED] <<EOF From: Clamd Daemon <[EMAIL PROTECTED]> To: System Administrator <[EMAIL PROTECTED]> The following file was found to be infected with a virus: $INFECTED_FILE The virus that infected this file is: $VIRUS_INFECTION Hope this is useful information! EOF Should be perfectly safe, I would think.. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED] |
pgpL4ElVud01x.pgp
Description: PGP signature
_______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
