From: Eric Wong <e@yhbt.net>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: meta@public-inbox.org
Subject: Re: [PATCH] t/import: test for nasty characters
Date: Sat, 4 Jul 2020 21:24:51 +0000 [thread overview]
Message-ID: <20200704212451.GB6980@dcvr> (raw)
In-Reply-To: <87a70fnhxp.fsf@x220.int.ebiederm.org>
"Eric W. Biederman" <ebiederm@xmission.com> wrote:
> Eric Wong <e@yhbt.net> writes:
>
> > Eric Wong <e@yhbt.net> wrote:
> >> "Eric W. Biederman" <ebiederm@xmission.com> wrote:
> >> > - $name =~ tr/<>//d;
> >> > + $name =~ tr/\n\r<>$/ /d;
> >>
> >> Is getting rid of '$' an effort to avoid double interpolation by Perl?
> >> Perl won't recursively expand variables AFAIK.
> >
> > I'm not seeing the purpose in $ being grouped with the
> > characters (test below confirms it, I think).
>
> What I think we should be doing is any characters that are not a valid
> part of a name (as defined by the appropriate email RFCs) should be
> dealt with.
>
> I am pretty certain $ isn't of those characters that is valid in a name.
*shrug* We'd have to dig through RFCs for that, but practically
anything can be valid once base64-encoded in headers.
This part of the code is only about keeping git-fast-import
happy. '$' is a visible character, and can be used creatively
for "fun" usernames, so I prefer we keep it.
Fwiw, I was able to send an email to a big mail provider w/o
getting flagged as spam using "Ca$h Wong" as my From: name.
mutt didn't even escape or quote it, either.
> Otherwise I suspect this will be a game of whack-a-mole as new weird
> and strange cases crop up. Maybe I am just paranoid, but right now
> the code seems a bit too liberal in what it accepts.
I prefer we keep Import.pm liberal. MDA and spam filters can be
stricter, of course.
I can't see '$' possibly doing any damage unless somebody runs
`eval' on From: headers; but if we're defending against that,
we'd have to disallow words like "rm" and "unlink", too :)
next prev parent reply other threads:[~2020-07-04 21:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-03 21:53 [PATCH] Import: Be more careful with names in email Eric W. Biederman
2020-07-03 23:30 ` Eric Wong
2020-07-04 20:25 ` [PATCH] t/import: test for nasty characters Eric Wong
2020-07-04 20:28 ` Eric W. Biederman
2020-07-04 21:24 ` Eric Wong [this message]
2020-07-05 14:55 ` Leah Neukirchen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200704212451.GB6980@dcvr \
--to=e@yhbt.net \
--cc=ebiederm@xmission.com \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).