1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 3.2//EN">
4 <TITLE> [IRCServices] what do they think ?
6 <LINK REL=
"Index" HREF=
"index.html" >
7 <LINK REL=
"made" HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20what%20do%20they%20think%20%3F&In-Reply-To=">
8 <META NAME=
"robots" CONTENT=
"index,nofollow">
9 <META http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
10 <LINK REL=
"Previous" HREF=
"000194.html">
11 <LINK REL=
"Next" HREF=
"000202.html">
13 <BODY BGCOLOR=
"#ffffff">
14 <H1>[IRCServices] what do they think ?
</H1>
15 <B>root of all evil
</B>
16 <A HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20what%20do%20they%20think%20%3F&In-Reply-To="
17 TITLE=
"[IRCServices] what do they think ?">climber at rionet.com.br
19 <I>Fri Oct
8 16:
49:
56 PDT
1999</I>
21 <LI>Previous message:
<A HREF=
"000194.html">[IRCServices] what do they think ?
23 <LI>Next message:
<A HREF=
"000202.html">[IRCServices] what do they think ?
25 <LI> <B>Messages sorted by:
</B>
26 <a href=
"date.html#195">[ date ]
</a>
27 <a href=
"thread.html#195">[ thread ]
</a>
28 <a href=
"subject.html#195">[ subject ]
</a>
29 <a href=
"author.html#195">[ author ]
</a>
34 <PRE>Thanks on advices
35 i use it on my network only (a smal network); of curse, i dont run anything
36 related to irc as a root, my sendmail is not configurated to check adress
37 so it's not a big deal if i do sendmail
<A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">bla at urg.uf.lu
</A> it will just generate a
38 mail whith an error msg, isnt it ? , about the ; it is a big security houle,
39 i'ill try to make a stricter check on emails, any sugestions ?
40 about the bogus sendmail on patch, who wold it be posible ? i cant figure it,
41 only if i do that (only i have access to the acount)
43 the problem, to me whith smtp is, that you have to make a email client, to it
44 work well, sometime ago a brasilian network tried to do somethink like this
45 (smtp sendmail) but if the email is not valid ,the wole services gone crash
49 irc.rionet.com.br;irc.brasirc.com.br
56 On Wed,
31 Dec
1969, you wrote:
57 >><i>i had wrote this function on my services, it is working well, but i wold like
58 </I>>><i>to hear coments and sugestions on it
60 </I>>><i>it send password information to the nick email (ni-
>email) and i changed the
61 </I>>><i>do_register, so users must give a mail
63 </I>><i> From a functional standpoint, it's something I'd planned to do for quite
64 </I>><i>a while. From an implementation standpoint, I'd hang myself before releasing
65 </I>><i>code of this quality. No offense--if it works for you, fine; but there are
66 </I>><i>numerous potential problems and security holes in this implementation. To
67 </I>><i>point out a few: (further comments at the end of the message)
69 </I>>><i> lock = fopen(
".senpass.nick
",
"r
");
71 </I>><i> (
1) There's a huge distance between this check and the time the file
72 </I>><i>is created, leaving a big window for race conditions (except that since
73 </I>><i>you process this all in the same thread you don't need a lock in the first
76 </I>><i> (
2) Doing all the processing in the same thread, and especially waiting
77 </I>><i>for sendmail to finish, will slow down Services immensely. (Suppose your
78 </I>><i>sendmail is set to verify recipients' domain names before queueing mail; what
79 </I>><i>happens if someone registers a nick with an address in a domain they own, and
80 </I>><i>then shut off the nameserver for that domain?)
82 </I>><i> (
3) This filename has a typo and so locking wouldn't ever work anyway.
84 </I>>><i> } else if (!strchr(ni-
>email, '@')) {
86 </I>>><i> } else if(strlen(ni-
>email)
>50) {
88 </I>><i> This is a pretty weak check on E-mail address syntax.
90 </I>>><i> strcpy(illsend,
"/usr/sbin/sendmail
");
91 </I>>><i> strcat(illsend, ni-
>email);
92 </I>>><i> strcat(illsend,
" < .sendpass.nick
");
94 </I>>><i> system(illsend);
96 </I>><i> Lovely. Suppose I set my E-mail address to
"foo@;IFS=.;rm.-rf./
"?
97 </I>><i>Poof, there goes your system (or whatever part of it Services can access--
98 </I>><i>I hope you're not running as root). Not to mention the problems you get
99 </I>><i>with having a bogus
"sendmail
" in a directory in your PATH.
101 </I>><i> For the record, the proper way to do this would be to open a direct SMTP
102 </I>><i>connection to a known mail server and send the mail over that connection,
103 </I>><i>using select() to monitor the status of the connection (and timing out in a
104 </I>><i>reasonable period of time to prevent people from using up all file
105 </I>><i>descriptors by sending lots of SENDPASS requests). Note that a proper
106 </I>><i>implementation of this functionality requires quite a bit of work, including
107 </I>><i>redoing the main program loop and I/O code to be able to monitor multiple
108 </I>><i>sockets at once; this is why I never got around to adding this functionality.
109 </I>><i>If it were as simple as writing a function like the original poster did, I
110 </I>><i>would have done it long ago.
112 </I>><i> Andrew (Kempe): I'm willing to help you with this if you want, but you
113 </I>><i>need to be very careful about adding functionality like this; it can turn
114 </I>><i>into Swiss cheese (security- and stability-wise) if you don't watch out.
116 </I>><i> --Andrew Church
117 </I>><i> <A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">achurch at dragonfire.net
</A>
118 </I>><i> <A HREF=
"http://achurch.dragonfire.net/">http://achurch.dragonfire.net/
</A>
119 </I>><i>---------------------------------------------------------------
120 </I>><i>To unsubscribe, send email to
<A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">majordomo at ender.shadowfire.org
</A>
121 </I>><i>with
"unsubscribe ircservices
" in the body, without the quotes.
122 </I>---------------------------------------------------------------
123 To unsubscribe, send email to
<A HREF=
"http://www.ircservices.za.net/mailman/listinfo/ircservices">majordomo at ender.shadowfire.org
</A>
124 with
"unsubscribe ircservices
" in the body, without the quotes.
132 <LI>Previous message:
<A HREF=
"000194.html">[IRCServices] what do they think ?
134 <LI>Next message:
<A HREF=
"000202.html">[IRCServices] what do they think ?
136 <LI> <B>Messages sorted by:
</B>
137 <a href=
"date.html#195">[ date ]
</a>
138 <a href=
"thread.html#195">[ thread ]
</a>
139 <a href=
"subject.html#195">[ subject ]
</a>
140 <a href=
"author.html#195">[ author ]
</a>