On 12/3/16 1:48 AM, Viktor Dukhovni wrote:
On Dec 2, 2016, at 1:30 AM, @lbutlr <krem...@kreme.com> wrote: I have a bash script that does it, and when a user wants this, I simply set up a crontab for them. Usually after a week or so they want it turned off. The script sends them a lightly styled HTML table in the email. The heart of the script is: if [ "$REJECT" = 1 ]; then echo '<tr><th> </th><th>IP address</th><th>Claimed address</th></tr>' bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | grep -v "Protocol error" | \ grep -v "$EXCLUDE" | sort -u | sed 's/from=<//' | tr -d '>,[]:' | grep -v rejected | \ awk '{print "<tr><td class=\"rej\">REJECTED</td><td class=\"right\">"$16"</td><td>"$20"</td></tr>"}' fiCareful with that. To easy to create a script injection vector. Bash is not a good language in which to construct safely quoted remote content for injection into a suitable HTML skeleton.
Injection from where? the script is only accessible to the root user on the mail server and only checks /var/log/maillog (or the log specified at the top of the script). There's no remote content involved.
