[Top] [All Lists]

Re: Advertising per-server limit on number of redirects in ManageSieve

2008-09-14 04:30:15

On Sat, Sep 13, 2008 at 8:59 PM, Ned Freed 
<ned(_dot_)freed(_at_)mrochek(_dot_)com> wrote:
On Sat, Sep 13, 2008 at 5:27 PM, Ned Freed 
<ned(_dot_)freed(_at_)mrochek(_dot_)com> wrote:

I've recently added an option to my Sieve implementation to limit the
number of Sieve redirects in a script.

We have a similar option.

any particular reason for adding this restriction?

You mean aside from the fact that RFC 5228 flatly requires it?

from RFC5228:

10. Security Considerations
   (2) MUST provide the means for administrators to limit the ability of
       users to abuse redirect.  In particular, it MUST be possible to
       limit the number of redirects a script can perform.
       Additionally, if no use cases exist for using redirect to
       multiple destinations, this limit SHOULD be set to 1.  Additional
       limits, such as the ability to restrict redirect to local users,
       MAY also be implemented.

"flatly" seems to be a little of an overstatement. the RFC seems to be
agnostic about the way this effect should be achieved. there is a
reasonable argument that this requirement may be better implemented by
a system assembler than in a script interpretor.

How about it keeps malicious users from using Sieves to construct enormous 

just wanted to be clear that this is a security restriction

Perhaps I wasn't clear. This is not a new option we just implemented. It has
been part of our implementation from the beginning. While I continue to think
that the IESG concerns with redirect issues during the process that led up to
RFC 5228 were overblown,

i agree. i think there are much easier ways to achieve similar
effects. IMHO a more likely scenario would be a bug in a sieve
interpretor or editor.

I have to say I regard not having such a limit as irresponsible.

from a systematic perspective, i agree. less sure about imposing
inefficient division of labour between library and system, though.

I thought it might be useful to be able to advertise such limit in
ManageSieve, so that clever UI editors can do clever things. Thoughts?

Seems very reasonable to me. Just make sure it's clearly a limit on the
of redirect actions a script can perform during a single evaluation. There
should be no limit on the number of redirects a script can contain.

if it's a limit on the number of redirect actions a script can perform
during a single evaluation (and not a limit on the number of redirects
a script can contain), then what clever things would you expect a
clever editor to be able to do?

Simple: A clever editor wouldn't let a user construct a Sieve that performs
more than that many redirects in a single block.

ok - so it's about allowing a simple check for a clear use case
(rather than anything more comprehensive). makes sense.

Whether or not such a case can arise depends on how the editor works, of
course. A limited editor that only allows construction of Sieves of the 

  if single-test1 {single-action1;}
  if single-test2 {single-action2;}

gets little if any benefit from this, but a more sophisticated editor that
allows the construction of things like:

  if test {action1; action2; action3;}

would definitely benefit.


BTW do any sophisticated editors actually exist yet?

- robert