Philip Guenther <guenther(_at_)gac(_dot_)edu> wisely said:
These recipes both work, and are therefore dangerous. Folks, you
*must* be paranoid, or someone else will take you to the security
cleaners. Giving someone a recipe like this is like giving someone
a window lock... which opens from both sides. Doing it right isn't
*that* much harder, is it?
[snip]
:0bDB
* ^begin
* ! ^begin.*[^-a-z0-9A-Z_.]
* ^end$
| (cd files_directory; awk '/begin/,/end/' | uuconvert)
That one new condition will protect you from uudecoding to outside of
the "files_directory" directory, and will limit filesnames in there to
alphanumerics, '_', '.', and '-'.
[snip]
Just consider a message that contains:
begin ../.procmailrc 644
Mskfhskjfsdkjhfsdkjhdskj
...
Msk
end
begin foo 644
Or one that contains:
begin ../.rhosts
...
end
Let your imagination guess the possible contents :^(
Lates!
---------------------------------------------------------------------------
Tim <bodysurf(_at_)pobox(_dot_)com>
mailto:bodysurf(_at_)pobox(_dot_)com
Finger bodysurf(_at_)pobox(_dot_)com for my PGP public key (Bits 1024/KeyID
09DA5C49).
PGP Key FPrint (09/03/94): 4C 97 F1 FA 70 55 68 91 49 D1 AD F2 DD 63 0C 15
---------------------> Please PGP encrypt your email <---------------------