4.51.4: security concerns, TNEF question

Julian Field MailScanner at ecs.soton.ac.uk
Wed Mar 1 18:26:51 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Jeff A. Earickson wrote:
> Julian,
>
> Whilst staring at the new logging additions to TNEF.pm, I
> noticed the lines:
>
> system("rm -rf /tmp/tnef.$$");
>
> Harrumph.  I would recommend replacing this with an unlink()
> call instead (use -U for directory, or unlink() and rmdir()). It would 
> save the cost of a fork() and exec() to create a subshell. 
> Security-wise, I also get nervous when I do not see a full pathname 
> for "rm" in code that runs as root.
As someone else has already pointed out, the $PATH is fixed at startup, 
so this is pretty safe.

To emulate "rm -rf" in Perl, I will have to do quite a clever tree walk, 
as I don't want to follow soft or hard links. "rm -rf" solves a 
non-trivial problem, and I don't like reinventing the wheel. Is it 
really that bad?
>
> Likewise, I spotted similar relative-path system() calls in
>
> f-prot-autoupdate  (wget, cp, unzip)
> rav-autoupdate  (chmod)
> vexira-autoupdate (wget)
>
> Maybe you would want to replace the "system($rm..." calls elsewhere
> (eg, sophos-autoupdate) with similar unlink() calls?
I will have to take a look at these. It depends what the rm options 
given are.
>
> On another note, I see the syslogging for "added TNEF contents"
> in TNEF.pm, but no "replaced TNEF contents" anywhere.  Is there
> syslogging of a "replace TNEF" event?
If the TNEF contents have been successfully extracted, then the 
winmail.dat file is deleted elsewhere. Try taking a look in Message.pm 
(I think). Grep for winmail.dat and you should find it, or else 
'foundtnefattachments'. The TNEF contents are added in 1 place. If 
successful and what the user wanted, then the winmail.dat file is 
deleted later. It's around line 1569 in Message.pm.

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)

iQA/AwUBRAXnbBH2WUcUFbZUEQK65gCfSViMc/t/CmzHJIrRc3XAQGoN2hoAoJo5
3yJWWTXHSjfaSxc8+7CsStRX
=CUGh
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list