On Tue, 30 Nov 1999 09:27:10 +0100, Rejo Zenger
<subs(_at_)sisterray(_dot_)xs4all(_dot_)nl> wrote:
* ^Subject: send \/[^ ]*
{
VALID_FILE = "no"
:0w
* ? test -f $FILEDIR/$MATCH
{
VALID_FILE = "yes"
This has the all too usual problem of allowing someone to request
../../../../../../../../etc/passwd or whatever. You need to be more
strict with what you want to allow people to request. A common safety
net is to disallow anything with any slashes in it, and require there
to be at least one character.
There's a good sample in procmailex(5) and Philip posted something on
this subject very recently, too. Refer to the Rosat archives (that's
at <http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/>) if
you don't keep postings locally.
Note that if your conditions only look for requests for allowed files,
you will drop through to Dilbert knows where if somebody requests
something you hadn't anticipated. Generally speaking, it's probably
better to look for "send anything" and then send a rejection notice if
"anything" doesn't match your stricter criteria for what people are
allowed to request.
Hope this helps,
/* era */
--
Too much to say to fit into this .signature anyway: <http://www.iki.fi/era/>
Fight spam in Europe: <http://www.euro.cauce.org/> * Sign the EU petition