procmail
[Top] [All Lists]

Re: [autoresponder] testing existence of requested file

1999-11-30 23:20:37
++ 30/11/99 10:51 +0200 - era eriksson:
On Tue, 30 Nov 1999 09:27:10 +0100, Rejo Zenger
<subs(_at_)sisterray(_dot_)xs4all(_dot_)nl> wrote:
*   ^Subject: send \/[^    ]*
{
        VALID_FILE = "no"
        :0w
        * ? test -f $FILEDIR/$MATCH
        {
                VALID_FILE = "yes"

This has the all too usual problem of allowing someone to request
../../../../../../../../etc/passwd or whatever. You need to be more
strict with what you want to allow people to request.

Good point there (which is one of the reasons for being on this list). I
have taken a look at the procmailex manpage, and i don't understand this
autoresponder at one point:

* !^Subject: send file .*[/.]\.

What happens here exactly? It says the Subject line is not allowed to
have the string /. (slash, dot) or .. (dot, dot) somewhere in it?
Correct?

Note that if your conditions only look for requests for allowed files,
you will drop through to Dilbert knows where if somebody requests
something you hadn't anticipated.

Yes, i was thinking of that as well... I have realised these kind of
mistakes after reading the book Jurrasic Parc of Michael Crichton years
ago. When they have this island with all the dinosaurs they count them
once in a while to be sure none of those dinosaurs have escaped. However
they count exactly the number they are expecting to have. The dinosaurs
have unexpectedly multiplied themselves, but they don't know as they are
count up to the exact number and not along that.

Anyway, i guessed it would be easier to maintain with a setup like this
as one would, i guess, need a file that lists all of the available
files. This listing should be up to date. Which could be automated by a
script run by cron. One would have procmail grep that list for the file
name i guess. 

Maybe, if i have the time, i'll change the autoresponders behaviour to
that type. For the time being i'll stick to this one i guess:

  :0
  *   ^TO_bot(_at_)sisterray(_dot_)xs4all(_dot_)nl
  * ! ^FROM_DAEMON
  * ! ^Precedence: (bulk|junk)
  * ! 
^(From|X-Loop|Reply-To):(_dot_)*autoresponder(_at_)sisterray\(_dot_)xs4all\(_dot_)nl
  * ! ^Subject:.*Re:
  *   ^Subject: send [0-9a-z]
  * ! ^Subject: send file .*[/.]\.
  *   ^Subject: send \/[^    ]*
  {
          [unchanged]

Any more suggestions?

        -Rejo.

-- 
= Rejo Zenger  [Sister Ray Crisiscentrum]               
rejo(_at_)sisterray(_dot_)xs4all(_dot_)nl
= http://mediaport.org/~sister                                  PGP: see headers
--------------------------------------------------------------------------------