[Dovecot] Developing new Dspam Plugin
Timothy White
dovecot.user at weirdo.bur.st
Fri Jun 30 06:08:24 EEST 2006
On 6/28/06, Timothy White <weirdit at gmail.com> wrote:
> I just realised that it may be possible to exploit the snprintf and
> send strange commands to the server, for this reason, the user that
> the plugin uses, should only be able to run the 2 procedure's. I have
> no idea how to make this secure, or if it is secure or not. Any ideas?
> (e.g. snprintf(query, 20+MAXSIGLEN, "CALL SPAM(\"%s\")", signature);
> If someone modifies the header, as long as it's within the MAXSIGLEN
> then they can effect the query?)
Anyone got ideas/comments on this?
>
> Anyway, I'm off to try and work out why my DB is doing strange things,
> then I'll update my wiki, and check for compat with RC1
Wiki updated, code still untested with RC1. Client Runner written (in
php for now). I discovered a bug in my SQL file for setting up the
procedures, which was truncating signatures. Also fixed warning, by
using count(ID) rather than trying to select ID's when it could/should
result in an empty set.
Tim
http://members.plug.org.au/~linuxalien/dokuwiki/projects:dovecot-mysql-dspam-plugin
--
Linux Counter user #273956
More information about the dovecot
mailing list