From 1ff6f4ceba9b56980a1010434e5c3641c4c93048 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 26 Nov 2004 23:15:42 +0000 Subject: Add big scary warnings to scripts. --- scripts/add_header.sh | 20 ++++++++++++++++++++ scripts/spamassassin.sh | 20 ++++++++++++++++++++ 2 files changed, 40 insertions(+) (limited to 'scripts') diff --git a/scripts/add_header.sh b/scripts/add_header.sh index 9a9af75..d4d524a 100644 --- a/scripts/add_header.sh +++ b/scripts/add_header.sh @@ -16,6 +16,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe the email through this command formail -i "Subject: Changed subject from $SENDER ..." diff --git a/scripts/spamassassin.sh b/scripts/spamassassin.sh index 4a6e8fe..9e88f75 100644 --- a/scripts/spamassassin.sh +++ b/scripts/spamassassin.sh @@ -14,6 +14,26 @@ # See proxsmtpd.conf(5) for configuration details # +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING WARNING WARNING WARNING WARNING WARNING WARNING +# +# By using variables passed in from clamsmtpd in file +# manipulation commands without escaping their contents +# you are opening yourself up to REMOTE COMPROMISE. You +# have been warned. Do NOT do the following unless you +# want to be screwed big time: +# +# mv $EMAIL "$SENDER.eml" +# +# An attacker can use the above command to compromise your +# computer. The only variable that is guaranteed safe in +# this regard is $EMAIL. +# +# The following script does not escape its variables +# because it only uses them in safe ways. +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # Pipe mail through this command spamassassin -e -- cgit v1.2.3