From fa6268d6bdf9c7fc31c3524be2cb919829659fe9 Mon Sep 17 00:00:00 2001 From: J Farkas Date: Sat, 2 Jan 2016 11:50:16 +0000 Subject: [PATCH] Re: cli/insert: do not lose the SMTP envelope --- d1/08f77b9fa49afb867b1d0a2f799eaa4e3225d4 | 115 ++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 d1/08f77b9fa49afb867b1d0a2f799eaa4e3225d4 diff --git a/d1/08f77b9fa49afb867b1d0a2f799eaa4e3225d4 b/d1/08f77b9fa49afb867b1d0a2f799eaa4e3225d4 new file mode 100644 index 000000000..3fd3bdaa9 --- /dev/null +++ b/d1/08f77b9fa49afb867b1d0a2f799eaa4e3225d4 @@ -0,0 +1,115 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by arlo.cworth.org (Postfix) with ESMTP id B25756DE1B46 + for ; Sat, 2 Jan 2016 03:50:21 -0800 (PST) +X-Virus-Scanned: Debian amavisd-new at cworth.org +X-Spam-Flag: NO +X-Spam-Score: 0.274 +X-Spam-Level: +X-Spam-Status: No, score=0.274 tagged_above=-999 required=5 tests=[AWL=0.077, + DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, + RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, + TVD_FROM_1=0.999] autolearn=disabled +Received: from arlo.cworth.org ([127.0.0.1]) + by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id Lejg3kOnrf34 for ; + Sat, 2 Jan 2016 03:50:19 -0800 (PST) +Received: from know-smtprelay-omc-11.server.virginmedia.net + (know-smtprelay-omc-11.server.virginmedia.net [80.0.253.75]) + by arlo.cworth.org (Postfix) with ESMTP id 7F7596DE176C + for ; Sat, 2 Jan 2016 03:50:18 -0800 (PST) +Received: from dev.koan19.net ([82.1.197.255]) + by know-smtprelay-11-imp with bizsmtp + id 0zqG1s00Q5X6CWA01zqGgg; Sat, 02 Jan 2016 11:50:16 +0000 +X-Originating-IP: [82.1.197.255] +X-Spam: 0 +X-Authority: v=2.1 cv=JO3GyJ+b c=1 sm=1 tr=0 a=D+CNGfzuhY6ArhcYgadsyQ==:117 + a=D+CNGfzuhY6ArhcYgadsyQ==:17 a=jxr8AxaCAAAA:8 a=dmPqMsitAAAA:8 + a=hov-Noh0Y1sA:10 a=kj9zAlcOel0A:10 a=qCHOGeoEAAAA:8 a=QIhr-27iAAAA:8 + a=NEAV23lmAAAA:8 a=M1f5AqskhWhO7JSazuMA:9 a=CjuIK1q_8ugA:10 a=Kk53PCjjK_cA:10 + a=-atrXUsF2IQA:10 a=WRNerh0Hs7oA:10 a=FRQ_JnYhHjcA:10 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; + d=l2015aftruuq.dns007.net; i=@l2015aftruuq.dns007.net; q=dns/txt; s=l201512; + t=1451735416; h=To : Cc : Subject : References : MIME-Version : Content-Type + : In-Reply-To : From : Message-ID : Date : X-Originating-IP : Subject : From + : Date; bh=Mhd4ybZDXaGzRLyeW2zyTNk2sjDtLVQqn6VILrdeMrM=; + b=lKuJt4GBlEDNsfuZNw4/PApgk3Kj2EaF3Z70Wg2vZ+yGKmoj/9MWGwLInMgD6jpqV1eGpb + FVp9kh0usRTlgGKYl9wSQu04wIAmdGx6T4+sBY/pc4XutjSajw8DOXYMIVRVKigSyu4YAWiS + 1feRvWxtHgkJBjF4JrtT3SSdOYReesXnVOis9NN56flHyDCVvwRJTrc5kKFMIxZaq/+0Slxw == +To: notmuch@notmuchmail.org +Cc: Tomi Ollila +Subject: Re: cli/insert: do not lose the SMTP envelope +References: <1451647279.42.86b0a8ab@201601.l2015aftruuq.dns007.net> + +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: +User-Agent: Mutt/1.5.23.1 (2014-03-12) +From: J Farkas +Message-ID: <1451735416.13.504ebc4c@201601.l2015aftruuq.dns007.net> +Date: Sat, 02 Jan 2016 11:50:16 +0000 +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.20 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Sat, 02 Jan 2016 11:50:22 -0000 + +On 2016-01-02 at 13:28:02, Tomi Ollila wrote: +> On Fri, Jan 01 2016, J Farkas wrote: +> > Make sure we store the envelope sender/recipient if provided by +> > qmail-command(8) in $RPLINE and $DTLINE. +> > --- +> +> Probably good feature, but like +> http://www.qmail.org/man/man8/qmail-command.html +> says: +> +> qmail-local supplies several useful environment variables to +> command. WARNING: These environment variables are not +> quoted. They may contain special characters. They are +> under the control of a possibly malicious remote user. +> +> Should we check that the contents of RPLINE and DTLINE are well-formed +> before writing these to the mail files ? + +Thank you for reviewing and being so careful! + +That warning is not applicable for the *LINE variables which are +supposed to end up in the message without further munging (they even +have the LF appended already). + +The extra carefulness is only relevant for anyone trying to *parse* +those strings, like $EXT via unsafe languages, when EXT becomes the +part following the dash after the username (considering +bgates-(){:;};shutdown@example.org for example) + +It still should be what the envelope sender was, and what was considered +valid at the time. + +I actually checked if there's any relevance for this warning: most +maildir delivering program does it already in one form or the other; in +fact, there is a command in the qmail distribution: +http://www.qmail.org/man/man1/preline.html which does the exact same +getenv and copy to the output. + +If you'd liek to confirm, there's one repo for what seems to be the +original qmail source for this file shows even DJB does it the same way: + +https://github.com/c-rack/qmail/blob/master/preline.c + +I would think it's not worth the extra fork and pipe for this. I don't +see how anyone could do without these headers saved, to be honest :) + +Janos + -- 2.26.2