ietf-mta-filters
[Top] [All Lists]

Re: security review of variables

2005-07-14 18:39:11


Regarding trucation of values in sieve variables...

Ned Freed <ned(_dot_)freed(_at_)mrochek(_dot_)com> writes:
...
It seems to me the useful alternative would be to have a way of testing to see
if truncation has occured. This way you could code tests to see if the
dataa being processed is abnormally large and respond accordingly.

For comparison, procmail had a configurable limit on the length of
variable expansions and a means to test whether that limit has been
reached.  To the best of my knowledge, the mechanism for the test (the
PROCMAIL_OVERFLOW variable) has never been used in a real world script
to modify the script's behavior.


But even this is of extremely marginal utility, for two reasons. First, string
sizes can already be checked, and it probably makes more sense to see if
something is abnormally long rather than checking to see if it has bumped up
against a truncation limit. Second, the availability of such a mechanism does
not mean it will actually be used, and my guess is that any such feature (and
this includes the namespace stuff) will see little if any actual use. And
rarely used features are security risks in and of themselves.

I completely agree with all of the above.


Philip Guenther


<Prev in Thread] Current Thread [Next in Thread>
  • Re: security review of variables, Philip Guenther <=