Re: [SAtalk] SpamAssassin 2.60 rc4 released

Fri, 12 Sep 2003 01:37:44 -0700 

One more thing (this will be noted in the documentation in 2.60 or the
next release candidate) ... if you use Razor2, you need to apply a small
patch to avoid taint-mode problems.  Here are the instructions.

------- start of cut text --------------
This information is originally from http://www.ijs.si/software/amavisd/
(Thanks to amavisd-new, Mark Martinec, and Vivek Khera!)

If SpamAssassin is configured to call Vipul's Razor 2.22 or higher
(until at least 2.36), it fails because Razor2 is not quite taint-safe.
It fails because reading its config file (routine read_file in
Razor2/Client/Config.pm) produces tainted values.  Razor2/Client/Core.pm
has a similar problem.

To apply: cd to the directory /usr/{lib,share}/perl5/.../Razor2 (wherever
Client/Config.pm and Client/Core.pm are located) and apply the patch
directly with:

  patch -p0 < patchfile

or apply to the Razor2 source tree with:

  patch -p0 -d lib/Razor2 < patchfile

--- Client/Config.pm~   2002-11-25 19:13:59.000000000 +0100
+++ Client/Config.pm    2002-11-11 19:29:17.000000000 +0100
@@ -373,6 +373,7 @@
             next unless /=/;
             my ($attribute, $value) = split /\=/, $_, 2; 
             $attribute =~ s/^\s+//; $attribute =~ s/\s+$//;
+            $value = $1  if $value =~ /^(.*)$/;  # untaint!
             $conf->{$attribute} = $self->parse_value($value);
         }
         $total++;
--- Client/Core.pm~     2002-11-25 19:07:38.000000000 +0100
+++ Client/Core.pm      2002-11-25 18:55:35.000000000 +0100
@@ -216,8 +216,10 @@
         foreach $rr ($query->answer) { 
             my $pushed = 0;
             if ($rr->type eq "A") { 
-                push @list, $rr->address; 
-                $pushed = 1;
+                if ($rr->address =~ m/^(\d+\.\d+\.\d+\.\d+)$/) {
+                    push @list, $1; 
+                    $pushed = 1;
+                }
             } elsif ($rr->type eq "CNAME") { 
                 if ($rr->cname eq 'list.terminator') { 
                     pop @list if $pushed;
------- end ----------------------------

Daniel


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to