Skip to content
This repository
Browse code

Author: Jeff King <>

The code feeds the results of $session->config('me') to
sprintf as part of the format string. In practice, this is
probably not a problem since hostnames don't contain percent
signs. However, it triggers a taint warning in perl 5.10,
making cram-md5 auth unusable.

This patch rewrites the sprintf to insert the 'me' value
using a %s format specifier.

I don't know the usual practice for submitting patches to qpsmtpd, so
please let me know if I should be doing something differently.

I was a little confused by the test infrastructure, so no test, but
hopefully this change is Obviously Correct. I can trigger it on my
Debian testing and unstable boxen with just this plugin:

  sub hook_auth_cram_md5 {
      return (DECLINED);

which generates this in the log:

  1732 XX: Insecure dependency in sprintf while running with -T switch at
       lib/Qpsmtpd/ line 63, <STDIN> line 3.
  ./qpsmtpd[1732]: command 'auth' failed unexpectedly (Bad file descriptor)

git-svn-id: 958fd67b-6ff1-0310-b445-bb7760255be9
  • Loading branch information...
commit c38660cd2f4ed64699c7afd0bcde2441ac87506a 1 parent 798eebc
authored January 05, 2009

Showing 1 changed file with 2 additions and 2 deletions. Show diff stats Hide diff stats

  1. 4  lib/Qpsmtpd/
4  lib/Qpsmtpd/
@@ -60,8 +60,8 @@ sub SASL {
60 60
         # rand() is not cryptographic, but we only need to generate a globally
61 61
         # unique number.  The rand() is there in case the user logs in more than
62 62
         # once in the same second, of if the clock is skewed.
-        $ticket = sprintf( "<%x.%x\@" . $session->config("me") . ">",
-            rand(1000000), time() );
+        $ticket = sprintf( '<%x.%x@%s>',
+            rand(1000000), time(), $session->config("me") );
65 65
66 66
         # We send the ticket encoded in Base64
67 67
         $session->respond( 334, encode_base64( $ticket, "" ) );

0 notes on commit c38660c

Please sign in to comment.
Something went wrong with that request. Please try again.