]>
Commit | Line | Data |
---|---|---|
3bd189cb JR |
1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> |
2 | <HTML> | |
3 | <HEAD> | |
4 | <TITLE> [IRCServices] what do they think ? | |
5 | </TITLE> | |
6 | <LINK REL="Index" HREF="index.html" > | |
7 | <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20what%20do%20they%20think%20%3F&In-Reply-To="> | |
8 | <META NAME="robots" CONTENT="index,nofollow"> | |
9 | <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> | |
10 | <LINK REL="Previous" HREF="000194.html"> | |
11 | <LINK REL="Next" HREF="000202.html"> | |
12 | </HEAD> | |
13 | <BODY BGCOLOR="#ffffff"> | |
14 | <H1>[IRCServices] what do they think ?</H1> | |
15 | <B>root of all evil</B> | |
16 | <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20what%20do%20they%20think%20%3F&In-Reply-To=" | |
17 | TITLE="[IRCServices] what do they think ?">climber at rionet.com.br | |
18 | </A><BR> | |
19 | <I>Fri Oct 8 16:49:56 PDT 1999</I> | |
20 | <P><UL> | |
21 | <LI>Previous message: <A HREF="000194.html">[IRCServices] what do they think ? | |
22 | </A></li> | |
23 | <LI>Next message: <A HREF="000202.html">[IRCServices] what do they think ? | |
24 | </A></li> | |
25 | <LI> <B>Messages sorted by:</B> | |
26 | <a href="date.html#195">[ date ]</a> | |
27 | <a href="thread.html#195">[ thread ]</a> | |
28 | <a href="subject.html#195">[ subject ]</a> | |
29 | <a href="author.html#195">[ author ]</a> | |
30 | </LI> | |
31 | </UL> | |
32 | <HR> | |
33 | <!--beginarticle--> | |
34 | <PRE>Thanks on advices | |
35 | i use it on my network only (a smal network); of curse, i dont run anything | |
36 | related to irc as a root, my sendmail is not configurated to check adress | |
37 | so it's not a big deal if i do sendmail <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">bla at urg.uf.lu</A> it will just generate a | |
38 | mail whith an error msg, isnt it ? , about the ; it is a big security houle, | |
39 | i'ill try to make a stricter check on emails, any sugestions ? | |
40 | about the bogus sendmail on patch, who wold it be posible ? i cant figure it, | |
41 | only if i do that (only i have access to the acount) | |
42 | ||
43 | the problem, to me whith smtp is, that you have to make a email client, to it | |
44 | work well, sometime ago a brasilian network tried to do somethink like this | |
45 | (smtp sendmail) but if the email is not valid ,the wole services gone crash | |
46 | ||
47 | FiGhTeR | |
48 | Rafael Moraes | |
49 | irc.rionet.com.br;irc.brasirc.com.br | |
50 | ||
51 | ||
52 | ||
53 | ||
54 | ||
55 | ||
56 | On Wed, 31 Dec 1969, you wrote: | |
57 | >><i>i had wrote this function on my services, it is working well, but i wold like | |
58 | </I>>><i>to hear coments and sugestions on it | |
59 | </I>>><i> | |
60 | </I>>><i>it send password information to the nick email (ni->email) and i changed the | |
61 | </I>>><i>do_register, so users must give a mail | |
62 | </I>><i> | |
63 | </I>><i> From a functional standpoint, it's something I'd planned to do for quite | |
64 | </I>><i>a while. From an implementation standpoint, I'd hang myself before releasing | |
65 | </I>><i>code of this quality. No offense--if it works for you, fine; but there are | |
66 | </I>><i>numerous potential problems and security holes in this implementation. To | |
67 | </I>><i>point out a few: (further comments at the end of the message) | |
68 | </I>><i> | |
69 | </I>>><i> lock = fopen(".senpass.nick", "r"); | |
70 | </I>><i> | |
71 | </I>><i> (1) There's a huge distance between this check and the time the file | |
72 | </I>><i>is created, leaving a big window for race conditions (except that since | |
73 | </I>><i>you process this all in the same thread you don't need a lock in the first | |
74 | </I>><i>place). | |
75 | </I>><i> | |
76 | </I>><i> (2) Doing all the processing in the same thread, and especially waiting | |
77 | </I>><i>for sendmail to finish, will slow down Services immensely. (Suppose your | |
78 | </I>><i>sendmail is set to verify recipients' domain names before queueing mail; what | |
79 | </I>><i>happens if someone registers a nick with an address in a domain they own, and | |
80 | </I>><i>then shut off the nameserver for that domain?) | |
81 | </I>><i> | |
82 | </I>><i> (3) This filename has a typo and so locking wouldn't ever work anyway. | |
83 | </I>><i> | |
84 | </I>>><i> } else if (!strchr(ni->email, '@')) { | |
85 | </I>><i>[...] | |
86 | </I>>><i> } else if(strlen(ni->email)>50) { | |
87 | </I>><i> | |
88 | </I>><i> This is a pretty weak check on E-mail address syntax. | |
89 | </I>><i> | |
90 | </I>>><i> strcpy(illsend,"/usr/sbin/sendmail "); | |
91 | </I>>><i> strcat(illsend, ni->email); | |
92 | </I>>><i> strcat(illsend," < .sendpass.nick"); | |
93 | </I>><i>[...] | |
94 | </I>>><i> system(illsend); | |
95 | </I>><i> | |
96 | </I>><i> Lovely. Suppose I set my E-mail address to "foo@;IFS=.;rm.-rf./"? | |
97 | </I>><i>Poof, there goes your system (or whatever part of it Services can access-- | |
98 | </I>><i>I hope you're not running as root). Not to mention the problems you get | |
99 | </I>><i>with having a bogus "sendmail" in a directory in your PATH. | |
100 | </I>><i> | |
101 | </I>><i> For the record, the proper way to do this would be to open a direct SMTP | |
102 | </I>><i>connection to a known mail server and send the mail over that connection, | |
103 | </I>><i>using select() to monitor the status of the connection (and timing out in a | |
104 | </I>><i>reasonable period of time to prevent people from using up all file | |
105 | </I>><i>descriptors by sending lots of SENDPASS requests). Note that a proper | |
106 | </I>><i>implementation of this functionality requires quite a bit of work, including | |
107 | </I>><i>redoing the main program loop and I/O code to be able to monitor multiple | |
108 | </I>><i>sockets at once; this is why I never got around to adding this functionality. | |
109 | </I>><i>If it were as simple as writing a function like the original poster did, I | |
110 | </I>><i>would have done it long ago. | |
111 | </I>><i> | |
112 | </I>><i> Andrew (Kempe): I'm willing to help you with this if you want, but you | |
113 | </I>><i>need to be very careful about adding functionality like this; it can turn | |
114 | </I>><i>into Swiss cheese (security- and stability-wise) if you don't watch out. | |
115 | </I>><i> | |
116 | </I>><i> --Andrew Church | |
117 | </I>><i> <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at dragonfire.net</A> | |
118 | </I>><i> <A HREF="http://achurch.dragonfire.net/">http://achurch.dragonfire.net/</A> | |
119 | </I>><i>--------------------------------------------------------------- | |
120 | </I>><i>To unsubscribe, send email to <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">majordomo at ender.shadowfire.org</A> | |
121 | </I>><i>with "unsubscribe ircservices" in the body, without the quotes. | |
122 | </I>--------------------------------------------------------------- | |
123 | To unsubscribe, send email to <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">majordomo at ender.shadowfire.org</A> | |
124 | with "unsubscribe ircservices" in the body, without the quotes. | |
125 | ||
126 | </PRE> | |
127 | ||
128 | <!--endarticle--> | |
129 | <HR> | |
130 | <P><UL> | |
131 | <!--threads--> | |
132 | <LI>Previous message: <A HREF="000194.html">[IRCServices] what do they think ? | |
133 | </A></li> | |
134 | <LI>Next message: <A HREF="000202.html">[IRCServices] what do they think ? | |
135 | </A></li> | |
136 | <LI> <B>Messages sorted by:</B> | |
137 | <a href="date.html#195">[ date ]</a> | |
138 | <a href="thread.html#195">[ thread ]</a> | |
139 | <a href="subject.html#195">[ subject ]</a> | |
140 | <a href="author.html#195">[ author ]</a> | |
141 | </LI> | |
142 | </UL> | |
143 | ||
144 | </body></html> |