From 1ff6f4ceba9b56980a1010434e5c3641c4c93048 Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Fri, 26 Nov 2004 23:15:42 +0000
Subject: Add big scary warnings to scripts.

---
 ChangeLog               |  3 ++-
 scripts/add_header.sh   | 20 ++++++++++++++++++++
 scripts/spamassassin.sh | 20 ++++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index e25711c..9169d7f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
-0.7  ?????
+1.0  ?????
 
+  - Added big scary warnings to the sample scripts about escaping variables.
   - Documentation fixes [Olivier Beyssac]
 
 0.6  [2004-10-30]
diff --git a/scripts/add_header.sh b/scripts/add_header.sh
index 9a9af75..d4d524a 100644
--- a/scripts/add_header.sh
+++ b/scripts/add_header.sh
@@ -16,6 +16,26 @@
 # See proxsmtpd.conf(5) for configuration details
 #
 
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+#   WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+#
+#  By using variables passed in from clamsmtpd in file
+#  manipulation commands without escaping their contents
+#  you are opening yourself up to REMOTE COMPROMISE. You
+#  have been warned. Do NOT do the following unless you
+#  want to be screwed big time:
+#
+#  mv $EMAIL "$SENDER.eml"
+#
+#  An attacker can use the above command to compromise your
+#  computer. The only variable that is guaranteed safe in
+#  this regard is $EMAIL.
+#
+#  The following script does not escape its variables
+#  because it only uses them in safe ways.
+#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
 # Pipe the email through this command
 formail -i "Subject: Changed subject from $SENDER ..."
 
diff --git a/scripts/spamassassin.sh b/scripts/spamassassin.sh
index 4a6e8fe..9e88f75 100644
--- a/scripts/spamassassin.sh
+++ b/scripts/spamassassin.sh
@@ -14,6 +14,26 @@
 # See proxsmtpd.conf(5) for configuration details
 #
 
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+#   WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+#
+#  By using variables passed in from clamsmtpd in file
+#  manipulation commands without escaping their contents
+#  you are opening yourself up to REMOTE COMPROMISE. You
+#  have been warned. Do NOT do the following unless you
+#  want to be screwed big time:
+#
+#  mv $EMAIL "$SENDER.eml"
+#
+#  An attacker can use the above command to compromise your
+#  computer. The only variable that is guaranteed safe in
+#  this regard is $EMAIL.
+#
+#  The following script does not escape its variables
+#  because it only uses them in safe ways.
+#
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
 # Pipe mail through this command
 spamassassin -e
 
-- 
cgit v1.2.3