[Esd-l] Sanitizer 1.136 and older versions of Perl

Joe Steele joe at madewell.com
Thu Oct 24 14:02:01 PDT 2002


After noticing changes in the way messages were being sanitized with 
1.136, I turned on debugging/logging and discovered the following in 
the log:

   Too many arguments for substr at -e line 318, near ""...") "
   Execution of -e aborted due to compilation errors.
   procmail: Error while writing to " perl -p -e ' #\

This error meant that MIME attachments were not being properly 
sanitized.  Fortunately, the new "SECURITY_POISON_WINEXE" code was 
kicking in and catching executables that would otherwise have gotten 
through (Thanks to John Hardin for another useful option).

The offending substr function call is contained in the following code 
which was newly revised in Sanitizer 1.136:

  while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{128,})"/i) { #\
    warn " Shortening long filename.\n";    #\
    $filen =~ s/\s+/ /g;    #\
    substr ($filen,64,32,"...") while (length($filen) > 120);       #\
    $hdrtxt =~ s/name\s*=\s*"[^"]{120,}"/name="$filen"/i;   #\
    $mangle_mime_type = 1;  #\
  } #\

With great shame, I admit that the version of Perl in use was only 
5.004_04.  As best I can tell (I don't know Perl), Perl's substr 
function has been enhanced by allowing a fourth argument which 
earlier versions of Perl don't recognize.  I have no idea which 
version of Perl first introduced this enhancement.  I do know that 
Perl v5.6.0 allows the enhanced syntax.

This all brings up the point that the Sanitizer's website says 
nothing more than "You must have Perl installed."  There's no mention 
of a minimum compatible version.

For any of you using older versions of Perl, you may want to 
investigate whether the substr issue affects you.  Alternatively, you 
might try the patch which follows, keeping in mind that "I don't know 
Perl" (corrections from Perl experts welcomed).

Naturally, the best solution is to upgrade Perl.

--Joe



diff -uNr orig/html-trap.procmail revised/html-trap.procmail
--- orig/html-trap.procmail	Sun Oct 20 13:38:17 2002
+++ revised/html-trap.procmail	Thu Oct 24 13:43:28 2002
@@ -963,7 +963,7 @@
 	      while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{128,})"/i) {	#\
 		warn " Shortening long filename.\n";	#\
 		$filen =~ s/\s+/ /g;	#\
-		substr ($filen,64,32,"...") while (length($filen) > 120);	#\
+		substr ($filen,64,32) = "..." while (length($filen) > 120);	#\
 		$hdrtxt =~ s/name\s*=\s*"[^"]{120,}"/name="$filen"/i;	#\
 		$mangle_mime_type = 1;	#\
 	      }	#\



More information about the esd-l mailing list