4.51.4: security concerns, TNEF question
MailScanner at ecs.soton.ac.uk
Wed Mar 1 18:26:51 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Jeff A. Earickson wrote:
> Whilst staring at the new logging additions to TNEF.pm, I
> noticed the lines:
> system("rm -rf /tmp/tnef.$$");
> Harrumph. I would recommend replacing this with an unlink()
> call instead (use -U for directory, or unlink() and rmdir()). It would
> save the cost of a fork() and exec() to create a subshell.
> Security-wise, I also get nervous when I do not see a full pathname
> for "rm" in code that runs as root.
As someone else has already pointed out, the $PATH is fixed at startup,
so this is pretty safe.
To emulate "rm -rf" in Perl, I will have to do quite a clever tree walk,
as I don't want to follow soft or hard links. "rm -rf" solves a
non-trivial problem, and I don't like reinventing the wheel. Is it
really that bad?
> Likewise, I spotted similar relative-path system() calls in
> f-prot-autoupdate (wget, cp, unzip)
> rav-autoupdate (chmod)
> vexira-autoupdate (wget)
> Maybe you would want to replace the "system($rm..." calls elsewhere
> (eg, sophos-autoupdate) with similar unlink() calls?
I will have to take a look at these. It depends what the rm options
> On another note, I see the syslogging for "added TNEF contents"
> in TNEF.pm, but no "replaced TNEF contents" anywhere. Is there
> syslogging of a "replace TNEF" event?
If the TNEF contents have been successfully extracted, then the
winmail.dat file is deleted elsewhere. Try taking a look in Message.pm
(I think). Grep for winmail.dat and you should find it, or else
'foundtnefattachments'. The TNEF contents are added in 1 place. If
successful and what the user wanted, then the winmail.dat file is
deleted later. It's around line 1569 in Message.pm.
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
-----END PGP SIGNATURE-----
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner