The next step is a bit scary. Am I smart enough to let procmail do all of this for me? In that case I might consider ditching Perl in favor of munpack, which I saw in Wireless Hacks
Note that if you stick with this script, I'll be able to create arbitrarily named directories as your user simply by sending you mail. (The contents of the From: header are completely untrustworthy - your script doesn't prevent me from placing ../../../../home/bdfoy as my From: header) I'll also be able to create files as your username with pretty much arbitrary content (but I won't be able to overwrite existing files, thanks to the checks in MIME::Parser::Filer). Eventually, this might lead to a compromise. (If you use bash, ask yourself - do you have a ~/.bash_profile file?)
At the very least, I'd add this line right after you get the new parser:
$from = $parser->filer->exorcise_filename($from);
I'd then have someone go over this script with a fine-toothed comb for security issues before invoking it automatically on arbitrary data sent over the network. (Which is what mail messages are)
--
@/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/;
map{y/X_/\n /;print}map{pop@$_}@/for@/
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|
