From 1ff6f4ceba9b56980a1010434e5c3641c4c93048 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 26 Nov 2004 23:15:42 +0000 Subject: Add big scary warnings to scripts. --- ChangeLog | 3 ++- scripts/add_header.sh | 20 ++++++++++++++++++++ scripts/spamassassin.sh | 20 ++++++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e25711c..9169d7f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ -0.7 ????? +1.0 ????? + - Added big scary warnings to the sample scripts about escaping variables. - Documentation fixes [Olivier Beyssac] 0.6 [2004-10-30] diff --git a/scripts/add_header.sh b/scripts/add_header.sh index 9a9af75..d4d524a 100644 --- a/scripts/add_header.sh +++ b/scripts/add_header.sh @@ -16,6 +16,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe the email through this command formail -i "Subject: Changed subject from $SENDER ..." diff --git a/scripts/spamassassin.sh b/scripts/spamassassin.sh index 4a6e8fe..9e88f75 100644 --- a/scripts/spamassassin.sh +++ b/scripts/spamassassin.sh @@ -14,6 +14,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe mail through this command spamassassin -e -- cgit v1.2.3