Dear Postfix users,
I'm really grateful to Wietse who thankfully raised concerns regarding
Perl querying the verified senders database using postmap via the shell
as there was a real chance the sender (easily faked) could carry out
evil. My use of 'backticks' was a very bad idea as it turns out. I
managed to escape the script myself so very easy to professional
exploiters to do so. Lesson learned the Wietse way, not the way that
ends up with flames and spilt tears!
I think(?) that I have found the solution courtesy of
https://www.w3.org/Security/faq/.back/wwwsf5.html and perldocs.org (open).
I modified one of the W3C examples and shoved it into my function :
sub postmap
{
my $sender=shift;
$senderchk=$sender;
$senderchk =~ s/[\$#~!&*{}()\[\];,:?^ `\\\/]+//g; # check for undesirable
chars even if legal
if($sender ne $senderchk) { return "9:0:0:Database not probed. Suspect characters
detected in sender address.)" }
my $sf ="lmdb:/var/lib/postfix/verified_senders_2021";
$vsresult="";
$perlfork = open(POSTMAP,"-|"); die "Couldn't open perl fork" unless
defined($perlfork);
exec "/usr/sbin/postmap", "-fq", "$sender", "$sf", or die "Couldn't execute
postmap" if $perlfork == 0;
while (<POSTMAP>) { $vsresult= "$_"; }
close POSTMAP;
return "$vsresult";
}
I'm hoping this will be that last on this subject but I'll put it out to
you who have a superior knowledge of security. Is this method now safe?
Please, if anyone can see any security issues, do let me know. Apologies
to the Perl purists. I'm pretty sure I could have done better there, but
it does work .My main concern is if its safe.
Many thanks to you all,
Best wishes,
Mick.
