On Thu, 25 Jan 2007, Petr Janda wrote:

> Hey there,
> Im trying to figure out something. If I had Postfix execute a ruby
> script that says
>
> Kernel.exec "/usr/sbin/sendmail -i -f #{@sender} -- #{@recipient}"
>
> would this be a huge security risk? to me it seems so because if you had
> a specially crafted email address you could execute a different command.
> How to protect against it?
>
> Cheers,
> Petr
>

   harp:~ > cat a.rb
   require 'tmail'

   def valid_addr addr
     TMail::Address::parse addr
     addr
   end

   p(valid_addr('42 / fortytwo.org'))
   p(valid_addr('` rm -rf / `@fortytwo.org'))

   harp:~ > ruby a.rb
   "42 / fortytwo.org"
   parser.y:370:in `on_error': parse error on token "@" (TMail::SyntaxError)
           from a.rb:1:in `_racc_yyparse_c'
           from parser.y:366:in `parse_in'
           from /home/aamine/lib/ruby/racc/parser.rb:154:in `yyparse'
           from parser.y:357:in `parse'
           from parser.y:335:in `parse'
           from /home/ahoward//lib/ruby/site_ruby/1.8/tmail/address.rb:21:in `parse'
           from a.rb:4:in `valid_addr'
           from a.rb:9

or you can write your own from rfc2822

regards.

-a
-- 
we can deny everything, except that we have the possibility of being better.
simply reflect on that.
- the dalai lama