On Mon, 12 Jan 2004, Alex Satrapa wrote:
> MMoose wrote:
> > What I'd like to know is what are the real
> > implications of removing this switch?
>
> removing the taint-checking means that you no longer have any checks in
> place to prevent malicious parties from tricking the program into
> executing arbitrary commands. Taint checking in virus scanners and spam
> filters is essential, since viruses and spam are by definition
> malicious. You want to make sure spam can't simply alter your virus
> scanner to turn it into a spam factory.
>
> It would be useful to post the messages that prompted you to turn off
> taint-checking.
Since I saw no followup to this, and I'm having issues right now with
amavisd-new-20030616.p5 and a recently (ie. tonight) upgrade Spamassassin
to 2.63 (was working with 2.55), the two taint checks that I'm seeign
failing with debug-sa are:
Pyzor -> check failed: Insecure $ENV{PATH} while running with -T switch at
/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 870.
and
DCC -> check failed: Insecure $ENV{PATH} while running with -T switch at
/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 735.
With a final failure at:
Cannot get host name of local machine at
/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Util.pm line 444
I've had to disable spam checking in amavisd, since it won't start with it
enabled ... not sure why it suddenly can't get the hostname of the machine
though, but suspect it too may have to do with the Taint checking ... from
the code @ line 444:
# get the current host's unqalified domain name (better: return whatever
# Sys::Hostname thinks out hostname is, might also be a full qualified one)
sub hostname {
return $hostname if defined($hostname);
# Sys::Hostname isn't taint safe and might fall back to `hostname`. So we've
# got to clean PATH before we may call it.
clean_path_in_taint_mode();
$hostname = Sys::Hostname::hostname();
return $hostname;
}
and run from the command line:
neptune# perl -e 'use Sys::Hostname; print Sys::Hostname::hostname() . "\n";'
neptune.hub.org
So looks fine to me ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED] Yahoo!: yscrappy ICQ: 7615664
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
