|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: (LONG) LDAP and bogus characters
Wietse Venema (wietse
porcupine.org)
Thu, 18 Nov 1999 15:13:36 -0500 (EST)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Scott A. McIntyre: "Removing things from the queue"
- Previous message: Jacob Suter: "pop3d's with maildir support?"
- Next in thread: Keith Stevenson: "Re: (LONG) LDAP and bogus characters"
- Next in thread: Wietse Venema: "PATCH: LDAP and bogus characters"
- Reply: Keith Stevenson: "Re: (LONG) LDAP and bogus characters"
Keith Stevenson:
> I apologize in advance for the length of this message, but I feel the need to
> be complete.
Thank you for providing substance and evidence.
> Nov 18 09:53:33 erouter0 postfix/cleanup[27389]: cleanup_header:
> 'To: 1LT Bill Kingery <whkingeryaol.com>,? ?1LT David Tharp
> <DLTharpaol.com>,? ?1LT Paul Arno
...
> That has to be one of the ugliest things that I've ever seen. One of my
> windows-savvy co-workers suggested that the question marks might be "smart
> quotes" which are unicode characters.
The ? represent newlines, tabs, and other characters that don't
print. When logging or bouncing, Postfix masks non-printing
characters so they cannot upset software that looks at the output.
See my Murphy paper, ftp.porcupine.org/pub/security/index.html.
> Nov 18 09:53:33 erouter0 postfix/cleanup[27389]: rewrite_clnt:
> canonicalize: \ -> \erouter0.it-datacntr.louisville.edu
And LDAP goes ka-boom.
The culprit is the following:
1SG MARK \"MOOSE\" YOUNG <mmyoungipa.net>...
This parses as:
atom "1SG"
atom "MARK"
atom "\"
quoted string "MOOSE\" YOUNG <mmyoungipa.net> ...
Which seems wrong to me. The first \ definitely should not parse as an
atom all by itself. I'll do my best. The RFC 822 parser is a bit hairy.
> Is there anything that I can add to my lookup tables which will shield LDAP
> from getting these bogus lookups? I would prefer that it return a hard error
> instead of the 451 that is currently being returned to the client. (I'm
> drowning in postmaster notifications.)
>
> Thanks for any help or advice,
Simplest is to put a REGEXP map before your LDAP one. Let the
REGEXP map replace a lone \ localpart by \\.
Bear in mind that Postfix repeats map lookups until the result no
longer changes.
And the LDAP client code needs to be made more robust, but that
is somene elses module.
Wietse
- Next message: Scott A. McIntyre: "Removing things from the queue"
- Previous message: Jacob Suter: "pop3d's with maildir support?"
- Next in thread: Keith Stevenson: "Re: (LONG) LDAP and bogus characters"
- Next in thread: Wietse Venema: "PATCH: LDAP and bogus characters"
- Reply: Keith Stevenson: "Re: (LONG) LDAP and bogus characters"
This archive was generated by hypermail 2.0b3 on Thu Nov 18 1999 - 14:14:38 CST