[secdir] Secdir review of draft-ietf-sieve-include-13
Radia Perlman <radiaperlman@gmail.com> Mon, 05 December 2011 05:22 UTC
Return-Path: <radiaperlman@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2236A21F8B2D; Sun, 4 Dec 2011 21:22:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DRUGS_ERECTILE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcRn2OOfh0id; Sun, 4 Dec 2011 21:22:33 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id C405B21F8B2A; Sun, 4 Dec 2011 21:22:32 -0800 (PST)
Received: by bkcjc3 with SMTP id jc3so354359bkc.31 for <multiple recipients>; Sun, 04 Dec 2011 21:22:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=aamozG+6sbimIHaNtvXRF06OKESh+safhTvxRGpZQhw=; b=PvYOLQve9He3I1d7eLvlF3HbyD86KMJDVIPmVaM2dDEBKrPsUehKSQptP1Oqb0jdUe RfczXiVH7drAcZH0G99OsA4rgPCWM89Dxwg/ZzUUxf43f1GYIFQqchsYUd6l57O8Otqx PofDTvoK9DhG1Zi7tRIyflLtaFu0rEcyNpbGo=
MIME-Version: 1.0
Received: by 10.204.148.76 with SMTP id o12mr3535694bkv.114.1323062551756; Sun, 04 Dec 2011 21:22:31 -0800 (PST)
Received: by 10.205.141.142 with HTTP; Sun, 4 Dec 2011 21:22:31 -0800 (PST)
Date: Sun, 04 Dec 2011 21:22:31 -0800
Message-ID: <CAFOuuo6vaKv3Cp+gyvKFqJsCMgiMHv1UiSeQ=3ron=DgDrwEfQ@mail.gmail.com>
From: Radia Perlman <radiaperlman@gmail.com>
To: The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-sieve-include.all@tools.ietf.org
Content-Type: multipart/alternative; boundary="0015175cab7c69be9a04b35181b5"
Subject: [secdir] Secdir review of draft-ietf-sieve-include-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2011 05:22:34 -0000
Summary: No problems found with this document Summary of document: This document specifies an extension to an existing file format. That file format is defined in RFC5228 and specifies a format for incoming mail filtering and sorting rules (e.g. if subject field contains “Viagra” delete the message). This extension defines an ‘include’ command, which allows someone to hierarchically organize mail filtering rules into separate files. The goal (among others) is so that there can be some common filters that lots of users might want to use, users can reference them with ‘include’ commands rather than copying their bodies into their own filtering rules, and the common filters can then be updated by a central authority and changes will automatically be reflected in each user’s rules. This extension only introduces one interesting new security concern, and it is covered well in the security considerations. That concern is that a user might be able to trick the mail sorting utility into opening files that the user would not have permission to open. Depending on the OS, this might or might not be easy for the mail sorting utility to avoid, but the security considerations points out several variations, like making sure that file names really are file names (and not something that could escape itself into a shell script) and checking the access rules on the files to make sure that there is no privilege elevation. Radia
- [secdir] Secdir review of draft-ietf-sieve-includ… Radia Perlman