On Mon, 2002-02-04 at 00:07, Jeremy Zawodny wrote:
> The docs are right that this is probably a security flaw.
What's the flaw? As long as we're not doing "use re 'eval'" in the
code, of course.
The relevant line of code is this:
if ($addr =~ /$regexp/i) { return 1; }
where $regexp is the thing we read from (possibly user's) config file.
Since it's interpolating the contents of $regexp, could not someone
construct something nefarious to put in there. Certainly a savvy perl
user could construct a regexp that takes forever to evaluate and thereby
launch a DOS attack. I don't know enough perl to think of worse things,
but I'm sure there are worse things.
> Any perl guru have a handy snippet for converting a glob-style
> pattern to a regex safely?
How much glob syntax to we want to support? Whose implemention of
globbing?
Well, I think all I want is to translate '*' to '.*' -- what you might
call 'MS-DOS glob' pattern matching, so you can do:
*@foo.com
which matches anything at foo.com or FOO.COM (i'll leave it
case-insensitive), or
.*@foo.com
which matches any address at foo.com which starts with a period, or
*@*.com
which matches any commercial email address, or
*
which matches any address
but if you do any wacky regex stuff in there, it all get escaped
appropriately:
(?:foo|baz)@*.[a-z]*.com
doesn't do anything like a perl regex written that way would. It would
only match some really bizarre (and probably non-rfc compliant)
addresses.
C
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
