bugzilla-daemon at bugzilla
Jun 27, 2012, 9:45 AM
Post #4 of 5
(220 views)
Permalink
|
|
[Bug 6803] Add input validation to responses from DNSBL queries
[In reply to]
|
|
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6803
--- Comment #16 from Mark Martinec <Mark.Martinec [at] ijs> ---
> Can we trigger a default rule that links to the generic DNSBL issue page
> if we get an out of range answer perhaps?
I think a rule would be needed for each zone queried,
unless we want to add some hack to the code.
The check_rbl_sub eval (DNSEval.pm) is rather simpleminded,
but does recognize a regexp, so something like '^(?!127\.)'
as a subtest could do the job.
The uridnsbl and urirhssub can take masks in various forms,
but cannot negate them, nor do they take a regexp, so it
seems a rule with an associated negated metarule would be
needed for each zone queried:
URIDNSBL.pm:
C<subtest> is a sub-test to run against the returned data. The sub-test may
be in one of the following forms: m, n1-n2, or n/m, where n,n1,n2,m can be
any of: decimal digits, 0x followed by up to 8 hexadecimal digits, or an IPv4
address in quad-dot form. The 'A' records (IPv4 dotted address) as returned
by DNSBLs lookups are converted into a numerical form (r) and checked against
the specified sub-test as follows:
for a range n1-n2 the following must be true: (r >= n1 && r <= n2);
for a n/m form the following must be true: (r & m) == (n & m);
for a single value in quad-dot form the following must be true: r == n;
for a single decimal or hex form the following must be true:
((r & n) != 0) && ((r & 0xff000000) == 0x7f000000), i.e. within 127.0.0.0/8
so a n/m subtest could be used: 127.0.0.0/255.0.0.0
and then negated with a meta.
Similar applies to AskDNS plugin, it uses the same logic as URIDNSBL.
--
You are receiving this mail because:
You are the assignee for the bug.
|
