SA Bugzilla – Bug 4968
[review] untaint_file_path claims "%" is an unsafe character
Last modified: 2006-07-09 17:38:15 UTC
On my Red Hat Enterprise Linux box all hosted email accounts have home directories that contain a "%" character and look like this (this example is for the email address, "john@example.com"): /home/john%example.com This causes Spam Assassin to complain like this in various circumstances (for example, when running sa-learn): security: cannot untaint path: "/home/john%example.com/.spamassassin" This is because the "%" character in the path causes the regex in the untaint_file_path() function (in "Util.pm") to fail to match: my $chars = '-_A-Za-z\xA0-\xFF0-9\.\@\=\+\,\/\\\:'; my $re = qr/^\s*([$chars][${chars}~ ]*)$/o; Now, this may be a bug in Spam Assassin, or an unfortunate consequence of the server policy to substitute "%" for "@" in email account home directories. I am not aware of any adverse consequences of adding "%" to the regex; am I missing something here? Should Spam Assassin be changed to allow the "%" character when untainting file paths? my $chars = '-_A-Za-z\xA0-\xFF0-9\.\@\%\=\+\,\/\\\:'; my $re = qr/^\s*([$chars][${chars}~ ]*)$/o;
I can't think of a reason not to include %, so I've committed it for 3.2.0 and will put up a proper patch needing votes in a minute. Sending lib/Mail/SpamAssassin/Util.pm Transmitting file data . Committed revision 417315.
Created attachment 3560 [details] suggested patch
+1
Sending lib/Mail/SpamAssassin/Util.pm Transmitting file data . Committed revision 420383.