-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I followed the instuructions below to patch Razor2's taint problem. The Config.pm patch worked perfectly, but the Core.pm patch failed at hunk 1. Is this an SA issue, or a Razor issue..(i.e. patch created by Razor folks or SA folks)?
- ------- start of cut text -------------- This information is originally from http://www.ijs.si/software/amavisd/ (Thanks to amavisd-new, Mark Martinec, and Vivek Khera!) If SpamAssassin is configured to call Vipul's Razor 2.22 or higher (until at least 2.36), it fails because Razor2 is not quite taint-safe. It fails because reading its config file (routine read_file in Razor2/Client/Config.pm) produces tainted values. Razor2/Client/Core.pm has a similar problem. To apply: cd to the directory /usr/{lib,share}/perl5/.../Razor2 (wherever Client/Config.pm and Client/Core.pm are located) and apply the patch directly with: patch -p0 < patchfile or apply to the Razor2 source tree with: patch -p0 -d lib/Razor2 < patchfile - --- Client/Config.pm~ 2002-11-25 19:13:59.000000000 +0100 +++ Client/Config.pm 2002-11-11 19:29:17.000000000 +0100 @@ -373,6 +373,7 @@ next unless /=/; my ($attribute, $value) = split /\=/, $_, 2; $attribute =~ s/^\s+//; $attribute =~ s/\s+$//; + $value = $1 if $value =~ /^(.*)$/; # untaint! $conf->{$attribute} = $self->parse_value($value); } $total++; - --- Client/Core.pm~ 2002-11-25 19:07:38.000000000 +0100 +++ Client/Core.pm 2002-11-25 18:55:35.000000000 +0100 @@ -216,8 +216,10 @@ foreach $rr ($query->answer) { my $pushed = 0; if ($rr->type eq "A") { - - push @list, $rr->address; - - $pushed = 1; + if ($rr->address =~ m/^(\d+\.\d+\.\d+\.\d+)$/) { + push @list, $1; + $pushed = 1; + } } elsif ($rr->type eq "CNAME") { if ($rr->cname eq 'list.terminator') { pop @list if $pushed; - ------- end ---------------------------- - ------------------------------ Mike Loiterman grantADLER Tel: 630-302-4944 Fax: 773-868-0071 Email: [EMAIL PROTECTED] PGP Key 0xD1B9D18E -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBP2ZKuWjZbUnRudGOEQI8YACg848os9CEMP1D+yUKcrd8eO1r988AoKJm 93NcMeDWO5M3VB4erv7fSUw/ =Nueg -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
