On 1/24/07, Robert Klemme <shortcutter / googlemail.com> wrote:
> On 24.01.2007 16:09, Petr Janda wrote:
> > Im trying to figure out something. If I had Postfix execute a ruby
> > script that says
> >
> > Kernel.exec "/usr/sbin/sendmail -i -f #{@sender} -- #{@recipient}"
> >
> > would this be a huge security risk? to me it seems so because if you had
> > a specially crafted email address you could execute a different command.
> > How to protect against it?
>
> As always with input parameters: verify them.  Make sure those variables
> contain what you expect / want to allow them to.
>
> Kind regards
>
>         robert
>

Robert is correct - you would be surprised how much stuff is legal in
an RFC2822-compliant e-mail address. I just successfully sent mail to
these 100% valid addresses:

|/dev/null / example.com
(rm -rf *)subshell / example.com
"; rm -rf /tmp/path/* ;"@example.com

(replacing example.com with a domain that I own). No quotes are
required on that first example: pipe and forward slash aren't even
specials in RFC2822. Nor is ampersand. Nor backtick. And parens are
used for comments in addresses. And quoted bits are allowed in local
parts, so you can shoehorn in semicolons.

If you're going to use exec, you need to process those address bits
separately to find the SUBSET of RFC2822 addresses that your process
is willing to accept. Because with enough quoting and escaping, I can
send almost anything as the sender of an e-mail message.

Unless you have a strong use case otherwise, I suggest allowing only
[-_.a-zA-Z0-9]

-Alex
...former e-mail server admin