diff options
author | Stef Walter <stef@memberwebs.com> | 2004-11-26 23:15:42 +0000 |
---|---|---|
committer | Stef Walter <stef@memberwebs.com> | 2004-11-26 23:15:42 +0000 |
commit | 1ff6f4ceba9b56980a1010434e5c3641c4c93048 (patch) | |
tree | f7b9019691a52fda9e1350ac28253d715fbae71c | |
parent | 12c4436a96a3b4fb76b60c21b1819ba883ab9296 (diff) |
Add big scary warnings to scripts.
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | scripts/add_header.sh | 20 | ||||
-rw-r--r-- | scripts/spamassassin.sh | 20 |
3 files changed, 42 insertions, 1 deletions
@@ -1,5 +1,6 @@ -0.7 ????? +1.0 ????? + - Added big scary warnings to the sample scripts about escaping variables. - Documentation fixes [Olivier Beyssac] 0.6 [2004-10-30] diff --git a/scripts/add_header.sh b/scripts/add_header.sh index 9a9af75..d4d524a 100644 --- a/scripts/add_header.sh +++ b/scripts/add_header.sh @@ -16,6 +16,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe the email through this command formail -i "Subject: Changed subject from $SENDER ..." diff --git a/scripts/spamassassin.sh b/scripts/spamassassin.sh index 4a6e8fe..9e88f75 100644 --- a/scripts/spamassassin.sh +++ b/scripts/spamassassin.sh @@ -14,6 +14,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe mail through this command spamassassin -e |