diff options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/add_header.sh | 20 | ||||
| -rw-r--r-- | scripts/spamassassin.sh | 20 |
2 files changed, 40 insertions, 0 deletions
diff --git a/scripts/add_header.sh b/scripts/add_header.sh index 9a9af75..d4d524a 100644 --- a/scripts/add_header.sh +++ b/scripts/add_header.sh @@ -16,6 +16,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe the email through this command formail -i "Subject: Changed subject from $SENDER ..." diff --git a/scripts/spamassassin.sh b/scripts/spamassassin.sh index 4a6e8fe..9e88f75 100644 --- a/scripts/spamassassin.sh +++ b/scripts/spamassassin.sh @@ -14,6 +14,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe mail through this command spamassassin -e |