summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stef@memberwebs.com>2004-11-26 23:15:42 +0000
committerStef Walter <stef@memberwebs.com>2004-11-26 23:15:42 +0000
commit1ff6f4ceba9b56980a1010434e5c3641c4c93048 (patch)
treef7b9019691a52fda9e1350ac28253d715fbae71c
parent12c4436a96a3b4fb76b60c21b1819ba883ab9296 (diff)
Add big scary warnings to scripts.
-rw-r--r--ChangeLog3
-rw-r--r--scripts/add_header.sh20
-rw-r--r--scripts/spamassassin.sh20
3 files changed, 42 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index e25711c..9169d7f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
-0.7 ?????
+1.0 ?????
+ - Added big scary warnings to the sample scripts about escaping variables.
- Documentation fixes [Olivier Beyssac]
0.6 [2004-10-30]
diff --git a/scripts/add_header.sh b/scripts/add_header.sh
index 9a9af75..d4d524a 100644
--- a/scripts/add_header.sh
+++ b/scripts/add_header.sh
@@ -16,6 +16,26 @@
# See proxsmtpd.conf(5) for configuration details
#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+#
+# By using variables passed in from clamsmtpd in file
+# manipulation commands without escaping their contents
+# you are opening yourself up to REMOTE COMPROMISE. You
+# have been warned. Do NOT do the following unless you
+# want to be screwed big time:
+#
+# mv $EMAIL "$SENDER.eml"
+#
+# An attacker can use the above command to compromise your
+# computer. The only variable that is guaranteed safe in
+# this regard is $EMAIL.
+#
+# The following script does not escape its variables
+# because it only uses them in safe ways.
+#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
# Pipe the email through this command
formail -i "Subject: Changed subject from $SENDER ..."
diff --git a/scripts/spamassassin.sh b/scripts/spamassassin.sh
index 4a6e8fe..9e88f75 100644
--- a/scripts/spamassassin.sh
+++ b/scripts/spamassassin.sh
@@ -14,6 +14,26 @@
# See proxsmtpd.conf(5) for configuration details
#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+#
+# By using variables passed in from clamsmtpd in file
+# manipulation commands without escaping their contents
+# you are opening yourself up to REMOTE COMPROMISE. You
+# have been warned. Do NOT do the following unless you
+# want to be screwed big time:
+#
+# mv $EMAIL "$SENDER.eml"
+#
+# An attacker can use the above command to compromise your
+# computer. The only variable that is guaranteed safe in
+# this regard is $EMAIL.
+#
+# The following script does not escape its variables
+# because it only uses them in safe ways.
+#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
# Pipe mail through this command
spamassassin -e