Docs: warn against using $local_part directly in delivery

author Jeremy Harris <jgh146exb@wizmail.org>

Wed, 8 Jan 2020 13:51:42 +0000 (13:51 +0000)

committer Jeremy Harris <jgh146exb@wizmail.org>

Wed, 8 Jan 2020 13:57:38 +0000 (13:57 +0000)
author Jeremy Harris <jgh146exb@wizmail.org>
Wed, 8 Jan 2020 13:51:42 +0000 (13:51 +0000)
committer Jeremy Harris <jgh146exb@wizmail.org>
Wed, 8 Jan 2020 13:57:38 +0000 (13:57 +0000)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt

index 4d02bdc32e8c339ae29431a5fabfd913fa8a34ac..8b15227950c8f9c710b7ddfdfa629d4b15b99064 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -6362,7 +6362,7 @@ All other options are defaulted.
  .code
  local_delivery:
    driver = appendfile
  .code
  local_delivery:
    driver = appendfile
-  file = /var/mail/$local_part
+  file = /var/mail/$home
    delivery_date_add
    envelope_to_add
    return_path_add
    delivery_date_add
    envelope_to_add
    return_path_add
@@ -12385,6 +12385,18 @@ Global address rewriting happens when a message is received, so the value of
  because a message may have many recipients and the system filter is called just
  once.
  
  because a message may have many recipients and the system filter is called just
  once.
  
+.new
+&*Warning*&: the content of this variable is provided by a potential attacker.
+Consider carefully the implications of using it unvalidated as a name
+for file access.
+This presents issues for users' &_.forward_& and filter files.
+For traditional full user accounts, use &%check_local_users%& and the &$home$&
+variable rather than this one.
+For virtual users, store a suitable pathname component in the database
+which is used for account name validation, and use that retrieved value
+rather than this variable.
+.wen
+
  .vindex "&$local_part_prefix$&"
  .vindex "&$local_part_suffix$&"
  .cindex affix variables
  .vindex "&$local_part_prefix$&"
  .vindex "&$local_part_suffix$&"
  .cindex affix variables
@@ -20528,6 +20540,15 @@ is not the case when the file contains syntactically valid items that happen to
  yield empty addresses, for example, items containing only RFC 2822 address
  comments.
  
  yield empty addresses, for example, items containing only RFC 2822 address
  comments.
  
+.new
+&*Warning*&: It is unwise to use &$local_part$& or &$domain$&
+directly for redirection,
+as they are provided by a potential attacker.
+In the examples above, &$local_part$& is used for looking up data held locally
+on the system, and not used directly (the second example derives &$home$& via
+the passsword file or database, using &$local_part$&).
+.wen
+
  
  
  .section "Forward files and address verification" "SECID125"
  
  
  .section "Forward files and address verification" "SECID125"
diff --git a/src/src/configure.default b/src/src/configure.default

index cf38305e57c1966329e71999830ec76983b13ecf..08f5a9d10962a4e3bb8cecf490c6c3bf15b498b8 100644 (file)
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -863,7 +863,7 @@ smarthost_smtp:
  
  local_delivery:
    driver = appendfile
  
  local_delivery:
    driver = appendfile
-  file = /var/mail/$local_part
+  file = /var/mail/$home
    delivery_date_add
    envelope_to_add
    return_path_add
    delivery_date_add
    envelope_to_add
    return_path_add
author	Jeremy Harris <jgh146exb@wizmail.org>
	Wed, 8 Jan 2020 13:51:42 +0000 (13:51 +0000)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Wed, 8 Jan 2020 13:57:38 +0000 (13:57 +0000)
doc/doc-docbook/spec.xfpt		patch \| blob \| history
src/src/configure.default		patch \| blob \| history