Re: [ietf-822] inventive syntax, at least
Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> Sat, 15 November 2014 11:20 UTC
Return-Path: <arnt@gulbrandsen.priv.no>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 555DE1A86FF for <ietf-822@ietfa.amsl.com>; Sat, 15 Nov 2014 03:20:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyeJKMmSzewf for <ietf-822@ietfa.amsl.com>; Sat, 15 Nov 2014 03:20:56 -0800 (PST)
Received: from strange.aox.org (strange.aox.org [80.244.248.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FDE21A86FC for <ietf-822@ietf.org>; Sat, 15 Nov 2014 03:20:56 -0800 (PST)
Received: from fri.gulbrandsen.priv.no (localhost [127.0.0.1]) by strange.aox.org (Postfix) with ESMTP id 63E34FA008F; Sat, 15 Nov 2014 11:20:51 +0000 (UTC)
Received: from arnt@gulbrandsen.priv.no by fri.gulbrandsen.priv.no (Archiveopteryx 3.2.0) with esmtpsa id 1416050450-4330-4329/11/26; Sat, 15 Nov 2014 11:20:50 +0000
From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
To: ietf-822@ietf.org
Date: Sat, 15 Nov 2014 12:20:49 +0100
User-Agent: Trojita/v0.4.1-243-g4a74770; Qt/4.8.6; X11; Linux; Ubuntu 14.04.1 LTS
Mime-Version: 1.0
Message-Id: <3efa97a7-864d-4b32-94d2-0c7a0ff6f03a@gulbrandsen.priv.no>
In-Reply-To: <20141115041802.11249.qmail@ary.lan>
References: <96210782-74c2-4fe6-a478-086cf474c37e@gulbrandsen.priv.no> <CAL0qLwZ6nUA-XECaAK8=GZ+br5vEaOD+WYG7Y2ogweD-Xrs2Pw@mail.gmail.com> <6d9c88ba-ad4f-4527-826d-a7f63ddface1@gulbrandsen.priv.no> <dde9e95a0cbeb42be10c0cba26016c2d@mailbox.ijs.si> <20141115041802.11249.qmail@ary.lan>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/pZGOjN1ec9ObvMtFQVvxFSGcuRI
Subject: Re: [ietf-822] inventive syntax, at least
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 11:20:59 -0000
On Saturday, November 15, 2014 5:18:02 AM CEST, John Levine wrote:
> I would think that sendmail and postfix .forward files would have the
> same problem.
Postfix doesn't write GIGO crap to environment variables. Qmail's general
philosophy is to not parse and thereby shrink its own attack surface,
Postfix' is to parse and think about the result.
Postfix will write e.g. the recipient localpart to the environment, so if
your login name were (){etc I suppose Postfix would be vulnerable in your
case.
No idea about sendmail, I haven't used that since the days of 5.65.
Arnt
- [ietf-822] inventive syntax, at least Arnt Gulbrandsen
- Re: [ietf-822] inventive syntax, at least Murray S. Kucherawy
- Re: [ietf-822] inventive syntax, at least Arnt Gulbrandsen
- Re: [ietf-822] inventive syntax, at least Mark Martinec
- Re: [ietf-822] inventive syntax, at least John Levine
- Re: [ietf-822] inventive syntax, at least Mark Martinec
- Re: [ietf-822] inventive syntax, at least Martijn Grooten
- Re: [ietf-822] inventive syntax, at least Arnt Gulbrandsen