Programmers with network engineering skills

Joe Greco jgreco at ns.sol.net
Tue Mar 13 08:41:21 CDT 2012


> > The ideal world contains a mix of techniques.
> > 
> > You cannot just blindly leave it to the MTA to decide what's valid.
> > Along that path lies madness.  How do you pass the address to the MTA?
> > Don't do it as a system() call unless you want someone to own your
> > box with a semicolon.
> 
> Only if you don't properly quote/escape the arguments you are passing.

That's a great theory that's been a disaster in practice, as "properly"
is difficult and mistakes often turn into exploits.

That's not to say that you're not right, obviously you are, but that is
kind of more of a sign of the scope of the problem than anything else.
In an ideal world, it wouldn't be an issue.  In reality, the set of
allowed characters for e-mail addresses should probably have been a bit
more controlled...

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the NANOG mailing list