#1 Quick fix for tainted mx host names passed to Net::Ping

open
nobody
None
5
2003-01-02
2003-01-02
No

--- CheckUser.pm.org Thu Jan 2 13:13:21 2003
+++
CheckUser.pm Thu Jan 2 13:21:08 2003
@@ -214,10
+214,14 @@
if($Skip_SMTP_Checks) {
return
_result(CU_OK, 'skipping SMTP checks');
} else {
+ my
@mservers_ok;
+ foreach (@mservers) { # Weed out bad
MX hostnames and untaint.
+ push(@mservers_ok, $1) if
(/^([\w\-\.]+)$/);
+ }
if ($Skip_SYN) {
# Skip SYN/ACK
check.
# Just check user on each mail server one at a
time.
- foreach my $mserver (@mservers) {
+ foreach my
$mserver (@mservers_ok) {
my $tout =
_calc_timeout($timeout, $start_time);
return
_result(CU_SMTP_TIMEOUT, 'SMTP timeout') if $tout ==
0;

@@ -236,7 +240,7 @@
my $ping = new Net::Ping
"syn", _calc_timeout($timeout, $start_time)*3/4+1;
$ping-
>{port_num} = getservbyname("smtp", "tcp");
$ping-
>tcp_service_check;
- foreach my $mserver (@mservers)
{
+ foreach my $mserver (@mservers_ok) {
_pm_log
"check_network: \"$mserver\" resolving";
if (my
($resolved,$lookup_duration,$ip) = $ping->ping($mserver))
{
$resolve->{$mserver} = $ip;
@@ -245,7 +249,7
@@
_pm_log "check_network: \"$mserver\" host not
found!";
}
}
- foreach my $mserver (@mservers) {
+
foreach my $mserver (@mservers_ok) {
my $tout =
_calc_timeout($timeout, $start_time);
return
_result(CU_SMTP_TIMEOUT, 'SMTP timeout') if $tout ==
0;

@@ -266,7 +270,7 @@

return
_result(CU_SMTP_UNREACHABLE,
'Cannot connect
SMTP servers: ' .
- join(', ', @mservers));
+ join(', ',
@mservers_ok));
}

# it should be impossible to
reach this statement

Discussion


Log in to post a comment.