Anyone see serious security holes in this? Assume most recent
procmail version.
ARCHIVEDIR=/full/path/to/www/directory/
:0
#
# From is not very secure, I know.
* ^From: (sender full name *<)?account@([a-z0-9]+\.)?site.tld\>
#
# This provides the bulk of keep-others-out security.
* ^Subject: agreed-upon-magic-phrase
#
# The idea is to catch only safe files names, and those may
# not have a ".." in them. For simplicity don't allow them
# to end with a "." either.
* $ ^To:[^/]+\+\//([^$SHELLMETAS\$.]|[^.]\.[^.])+
{
FILE=$MATCH
# Get the directory portion
:0
* FILE ?? ^^\/.*/
{ DIR=$ARCHIVEDIR/$MATCH }
# Ensure it exists; the 'h' flag is probably not useful
:0ihc
* ? test ! -d $DIR
| mkdir $DIR
# Get a lock for the following two actions.
LOCK=$ARCHIVEDIR/$MATCH.lock
# Ensure the file does not exist; the 'h' flag...
:0ihc
| rm -f $ARCHIVEDIR/$MATCH
# Save the (raw) body only in the file.
:0br
$ARCHIVEDIR/$MATCH
# Release the lock
LOCK
}
Elijah