Gossamer Forum
Home : Products : Gossamer Mail : Discussion :

gosmail-1.0.1 bugs

Quote Reply
gosmail-1.0.1 bugs
I am finding a lot of bugs and I don't want to take up the whole forum, so all of my bug reports will be posted as replies to this message. These are bugs and fixes that work for me... No guarantees that they are the best solutions for you.

Matt Hahnfeld
EverySoft
Quote Reply
incoming.pl bug In reply to
On line 71 of incoming.pl there is a line that reads:

chmod oct ($Webmail::CONFIG{'file_per'}), $outfile or die "Could not chmod $outfile";

This breaks, since file_per is not defined anywhere. You should define it in Webmail/Config.pm. Near the top, where the %Webmail::CONFIG hash is defined, add a line that looks like:

'file_per' => '600',

This only needs to be fixed if you are using incoming.pl to read individual messages from STDIN. If you are using a catchall account this sub never gets called anyway.

Matt Hahnfeld
EverySoft
Quote Reply
incoming.pl tainted data In reply to
There is a small possible security hole in incoming.pl. If it is called with an argument, $user is taken in and essentially unchecked. Later in the script, files are created/opened using that variable. This can pose problems, especially if the script is called by sendmail and somehow bad data is passed to the script. As a matter of fact, when called by sendmail, setuid, the script will die with an error:

Insecure dependency in open while running setuid at /usr/lib/perl5/5.00502/i586-linux/IO/File.pm line 164

Well, there is an easy fix. Just open incoming.pl and find the line in sub get_input that reads:

($user =~ /@/) and $user =~ s/@.+$//;

Under that, add the following lines:

if ($user =~ /^([\w\.]+)$/) {
$user = $1;
} else {
die "No user specified";
}

This removes any bad characters from the username that is given to the script and untaints the variable.


Matt Hahnfeld
EverySoft