From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 64B201F5AE; Sat, 4 Jul 2020 21:24:51 +0000 (UTC) Date: Sat, 4 Jul 2020 21:24:51 +0000 From: Eric Wong To: "Eric W. Biederman" Cc: meta@public-inbox.org Subject: Re: [PATCH] t/import: test for nasty characters Message-ID: <20200704212451.GB6980@dcvr> References: <87imf4qn87.fsf@x220.int.ebiederm.org> <20200703233032.GA5810@dcvr> <20200704202525.GA19556@dcvr> <87a70fnhxp.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87a70fnhxp.fsf@x220.int.ebiederm.org> List-Id: "Eric W. Biederman" wrote: > Eric Wong writes: > > > Eric Wong wrote: > >> "Eric W. Biederman" wrote: > >> > - $name =~ tr/<>//d; > >> > + $name =~ tr/\n\r<>$/ /d; > >> > >> Is getting rid of '$' an effort to avoid double interpolation by Perl? > >> Perl won't recursively expand variables AFAIK. > > > > I'm not seeing the purpose in $ being grouped with the > > characters (test below confirms it, I think). > > What I think we should be doing is any characters that are not a valid > part of a name (as defined by the appropriate email RFCs) should be > dealt with. > > I am pretty certain $ isn't of those characters that is valid in a name. *shrug* We'd have to dig through RFCs for that, but practically anything can be valid once base64-encoded in headers. This part of the code is only about keeping git-fast-import happy. '$' is a visible character, and can be used creatively for "fun" usernames, so I prefer we keep it. Fwiw, I was able to send an email to a big mail provider w/o getting flagged as spam using "Ca$h Wong" as my From: name. mutt didn't even escape or quote it, either. > Otherwise I suspect this will be a game of whack-a-mole as new weird > and strange cases crop up. Maybe I am just paranoid, but right now > the code seems a bit too liberal in what it accepts. I prefer we keep Import.pm liberal. MDA and spam filters can be stricter, of course. I can't see '$' possibly doing any damage unless somebody runs `eval' on From: headers; but if we're defending against that, we'd have to disallow words like "rm" and "unlink", too :)