on Tue, Apr 09, 2002, Matijs van Zuijlen ([EMAIL PROTECTED]) wrote: > On Tue, Apr 09, 2002 at 03:50:54AM -0700, Karsten M. Self wrote: > > :0: > > * ^X-Mailing-List: <\/[^@<>]+ > > $LISTDIR/$MATCH/ > > As has been noted[1] in another thread on the same subject on > debian-devel: this is dangerous. Someone could just send an email with > > X-Mailing-List: <../something> > > in its headers to overwrite your file ~/something (and try other > variations if that didn't work). > > [1] See: > http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg02132.html
Good point. I was concerned about that...
Since it's matching on X-foo headers, it doens't have to pass RFC
822/2822 rules either.
What's a good regexp that will catch characters up to the '@' then?
* ^X-BeenThere: \/[^.@<>]+
...will at least prevent the parent directory trick. Is there a good
washer for something like this that can be put into procmail?
Peace.
--
Karsten M. Self <[email protected]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
We freed Dmitry! Boycott Adobe! Repeal the DMCA!
http://www.freesklyarov.org
pgpbf45WppgYr.pgp
Description: PGP signature
