rename -> *.git

[irc.git] / software / RELEASES / ircservices / achurch.org / services / lists / ircservices / 1999 / 000195.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [IRCServices] what do they think ?
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20what%20do%20they%20think%20%3F&In-Reply-To=">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000194.html">
   <LINK REL="Next"  HREF="000202.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[IRCServices] what do they think ?</H1>
    <B>root of all evil</B> 
    <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20what%20do%20they%20think%20%3F&In-Reply-To="
       TITLE="[IRCServices] what do they think ?">climber at rionet.com.br
       </A><BR>
    <I>Fri Oct  8 16:49:56 PDT 1999</I>
    <P><UL>
        <LI>Previous message: <A HREF="000194.html">[IRCServices] what do they think ?
</A></li>
        <LI>Next message: <A HREF="000202.html">[IRCServices] what do they think ?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#195">[ date ]</a>
              <a href="thread.html#195">[ thread ]</a>
              <a href="subject.html#195">[ subject ]</a>
              <a href="author.html#195">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Thanks on advices 
i use it on my network only (a smal network); of curse, i dont run anything
related to irc as a root, my sendmail is not configurated to check adress
so it's not a big deal if i do sendmail <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">bla at urg.uf.lu</A> it will just generate a 
mail whith  an error msg, isnt it ? , about the ; it is a big security houle,
i'ill try to make a stricter check on emails, any sugestions ? 
about the bogus sendmail on patch, who wold it be posible ? i cant figure it,
only if i do that (only i have access to the acount)

the problem, to me whith smtp is, that you have to make a email client, to it
work well, sometime ago a brasilian network tried to do somethink like this
(smtp sendmail) but if the email is not valid ,the wole services gone crash

FiGhTeR
Rafael Moraes
irc.rionet.com.br;irc.brasirc.com.br






 On Wed, 31 Dec 1969, you wrote: 
&gt;&gt;<i>i had wrote this function on my services, it is working well, but i wold like 
</I>&gt;&gt;<i>to hear coments and sugestions on it 
</I>&gt;&gt;<i>
</I>&gt;&gt;<i>it send password information to the nick email (ni-&gt;email) and i changed the
</I>&gt;&gt;<i>do_register, so users must give a mail
</I>&gt;<i>
</I>&gt;<i>     From a functional standpoint, it's something I'd planned to do for quite
</I>&gt;<i>a while.  From an implementation standpoint, I'd hang myself before releasing
</I>&gt;<i>code of this quality.  No offense--if it works for you, fine; but there are
</I>&gt;<i>numerous potential problems and security holes in this implementation.  To
</I>&gt;<i>point out a few: (further comments at the end of the message)
</I>&gt;<i>
</I>&gt;&gt;<i>      lock = fopen(&quot;.senpass.nick&quot;, &quot;r&quot;);
</I>&gt;<i>
</I>&gt;<i>     (1) There's a huge distance between this check and the time the file
</I>&gt;<i>is created, leaving a big window for race conditions (except that since
</I>&gt;<i>you process this all in the same thread you don't need a lock in the first
</I>&gt;<i>place).
</I>&gt;<i>
</I>&gt;<i>     (2) Doing all the processing in the same thread, and especially waiting
</I>&gt;<i>for sendmail to finish, will slow down Services immensely.  (Suppose your
</I>&gt;<i>sendmail is set to verify recipients' domain names before queueing mail; what
</I>&gt;<i>happens if someone registers a nick with an address in a domain they own, and
</I>&gt;<i>then shut off the nameserver for that domain?)
</I>&gt;<i>
</I>&gt;<i>     (3) This filename has a typo and so locking wouldn't ever work anyway.
</I>&gt;<i>
</I>&gt;&gt;<i>    } else if (!strchr(ni-&gt;email, '@')) {
</I>&gt;<i>[...]
</I>&gt;&gt;<i>    } else if(strlen(ni-&gt;email)&gt;50) {
</I>&gt;<i>
</I>&gt;<i>     This is a pretty weak check on E-mail address syntax.
</I>&gt;<i>
</I>&gt;&gt;<i>       strcpy(illsend,&quot;/usr/sbin/sendmail &quot;);
</I>&gt;&gt;<i>       strcat(illsend, ni-&gt;email);
</I>&gt;&gt;<i>       strcat(illsend,&quot; &lt; .sendpass.nick&quot;);
</I>&gt;<i>[...]
</I>&gt;&gt;<i>          system(illsend);
</I>&gt;<i>
</I>&gt;<i>     Lovely.  Suppose I set my E-mail address to &quot;foo@;IFS=.;rm.-rf./&quot;?
</I>&gt;<i>Poof, there goes your system (or whatever part of it Services can access--
</I>&gt;<i>I hope you're not running as root).  Not to mention the problems you get
</I>&gt;<i>with having a bogus &quot;sendmail&quot; in a directory in your PATH.
</I>&gt;<i>
</I>&gt;<i>     For the record, the proper way to do this would be to open a direct SMTP
</I>&gt;<i>connection to a known mail server and send the mail over that connection,
</I>&gt;<i>using select() to monitor the status of the connection (and timing out in a
</I>&gt;<i>reasonable period of time to prevent people from using up all file
</I>&gt;<i>descriptors by sending lots of SENDPASS requests).  Note that a proper
</I>&gt;<i>implementation of this functionality requires quite a bit of work, including
</I>&gt;<i>redoing the main program loop and I/O code to be able to monitor multiple
</I>&gt;<i>sockets at once; this is why I never got around to adding this functionality.
</I>&gt;<i>If it were as simple as writing a function like the original poster did, I
</I>&gt;<i>would have done it long ago.
</I>&gt;<i>
</I>&gt;<i>     Andrew (Kempe):  I'm willing to help you with this if you want, but you
</I>&gt;<i>need to be very careful about adding functionality like this; it can turn
</I>&gt;<i>into Swiss cheese (security- and stability-wise) if you don't watch out.
</I>&gt;<i>
</I>&gt;<i>  --Andrew Church
</I>&gt;<i>    <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at dragonfire.net</A>
</I>&gt;<i>    <A HREF="http://achurch.dragonfire.net/">http://achurch.dragonfire.net/</A>
</I>&gt;<i>---------------------------------------------------------------
</I>&gt;<i>To unsubscribe, send email to <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">majordomo at ender.shadowfire.org</A>
</I>&gt;<i>with &quot;unsubscribe ircservices&quot; in the body, without the quotes.
</I>---------------------------------------------------------------
To unsubscribe, send email to <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices">majordomo at ender.shadowfire.org</A>
with &quot;unsubscribe ircservices&quot; in the body, without the quotes.

</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000194.html">[IRCServices] what do they think ?
</A></li>
	<LI>Next message: <A HREF="000202.html">[IRCServices] what do they think ?
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#195">[ date ]</a>
              <a href="thread.html#195">[ thread ]</a>
              <a href="subject.html#195">[ subject ]</a>
              <a href="author.html#195">[ author ]</a>
         </LI>
       </UL>

</body></html>