Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The code feeds the results of $session->config('me') to sprintf as part of the format string. In practice, this is probably not a problem since hostnames don't contain percent signs. However, it triggers a taint warning in perl 5.10, making cram-md5 auth unusable. This patch rewrites the sprintf to insert the 'me' value using a %s format specifier. --- I don't know the usual practice for submitting patches to qpsmtpd, so please let me know if I should be doing something differently. I was a little confused by the test infrastructure, so no test, but hopefully this change is Obviously Correct. I can trigger it on my Debian testing and unstable boxen with just this plugin: sub hook_auth_cram_md5 { return (DECLINED); } which generates this in the log: 1732 XX: Insecure dependency in sprintf while running with -T switch at lib/Qpsmtpd/Auth.pm line 63, <STDIN> line 3. ./qpsmtpd[1732]: command 'auth' failed unexpectedly (Bad file descriptor) git-svn-id: http://svn.perl.org/qpsmtpd/trunk@967 958fd67b-6ff1-0310-b445-bb7760255be9
- Loading branch information