Return-Path: Delivered-To: apmail-spamassassin-users-archive@www.apache.org Received: (qmail 72810 invoked from network); 27 Jan 2010 01:42:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 27 Jan 2010 01:42:35 -0000 Received: (qmail 98479 invoked by uid 500); 27 Jan 2010 01:42:32 -0000 Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org Received: (qmail 98423 invoked by uid 500); 27 Jan 2010 01:42:32 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 98415 invoked by uid 99); 27 Jan 2010 01:42:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jan 2010 01:42:32 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [24.116.0.233] (HELO s7.cableone.net) (24.116.0.233) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jan 2010 01:42:21 +0000 Received: from freedom.dgrmm.net (unverified [24.119.31.249]) by s7.cableone.net (CableOne SMTP Service s7) with ESMTP id 29015360-1872270 for multiple; Tue, 26 Jan 2010 18:41:57 -0700 Received: from localhost (localhost [127.0.0.1]) by freedom.dgrmm.net (Postfix) with ESMTP id 3E7CC11C4F4; Tue, 26 Jan 2010 19:41:56 -0600 (CST) Received: from freedom.dgrmm.net ([127.0.0.1]) by localhost (host.domain.tld [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 04953-06; Tue, 26 Jan 2010 19:41:30 -0600 (CST) Received: from dhd.dgrmm (dhd.dgrmm [192.168.2.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by freedom.dgrmm.net (Postfix) with ESMTPSA id 16F2211C3C4; Tue, 26 Jan 2010 19:41:30 -0600 (CST) Message-ID: <4B5F99C9.8040804@dgrmm.net> Date: Tue, 26 Jan 2010 19:41:29 -0600 From: David Morton User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Mark Martinec CC: users@spamassassin.apache.org Subject: Re: insecure dependency in sa-learn --import References: <4B5F77D7.7080408@dgrmm.net> <201001270152.14046.Mark.Martinec+sa@ijs.si> In-Reply-To: <201001270152.14046.Mark.Martinec+sa@ijs.si> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard 1.0.2 X-Vpipe: Scanner said ok (av_avast) X-IP-stats: Incoming Outgoing Last 0, First 672, in=523, out=3595, spam=0 Known=true ip=24.119.31.249 X-Originating-IP: 24.119.31.249 X-Abuse-Info: Send abuse complaints to abuse@cableone.net X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Martinec wrote: >> perl 5.8.8 > > --- lib/Mail/SpamAssassin/BayesStore/DBM.pm (revision 903517) > +++ lib/Mail/SpamAssassin/BayesStore/DBM.pm (working copy) > @@ -1438,6 +1438,9 @@ > # bayes directory > my $main = $self->{bayes}->{main}; > my $path = $main->sed_path($main->{conf}->{bayes_path}); > + > + # prevent dirname() from tainting the result, it assumes $1 is not tainted > + local($1,$2,$3); > my $dir = dirname($path); > > # make temporary copy since old dbm and new dbm may have same name Thanks Mark, I can confirm that works for me. - -- David Morton Morton Software & Design http://www.dgrmm.net - Ruby on Rails PHP Applications Maia Mailguard http://www.maiamailguard.com - Spam management for mail servers -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFLX5nJUy30ODPkzl0RAqGkAKCxvhXf2/rYih9A3Tu+HUzIqLua3gCgk4YL JhI6Axz97pfWEqkyVJfhk08= =/9Uq -----END PGP SIGNATURE-----