From ghutchis@wso.williams.edu Wed Dec 23 09:19:36 1998
Date: Mon, 21 Dec 1998 09:30:42 -0500 (EST)
From: Geoff Hutchison <ghutchis@wso.williams.edu>
To: htdig3-dev@wso.williams.edu
Subject: htdig3-dev Final patch?


I'd clearly like to get this fix off. If this looks okay, I'll send a
report to various people this evening.

I'd like to release this as b4, with some memory fixes in htmerge and
htsearch. The latter fixes should also solve the "severe performance drop"
in b3. One question--is there anything else that needs to be included?

-Geoff

*** htdig-3.1.0b3/htnotify/htnotify.cc	Tue Dec 15 11:58:13 1998
--- htdig-3.1.0b4/htnotify/htnotify.cc	Mon Dec 21 09:26:11 1998
***************
*************** static char RCSid[] = "$Id: htnotify.cc,
*** 59,64 ****
--- 55,61 ----
  #include <fstream.h>
  #include <time.h>
  #include <stdio.h>
+ #include <string.h>
  
  // If we have this, we probably want it.
  #ifdef HAVE_GETOPT_H
*************** void htnotify(DocumentRef &ref)
*** 212,222 ****
  void send_notification(char *date, char *email, char *url, char *subject)
  {
    /* Currently unused    int		fildes[2]; */
-     String	to = email;
  
      String command = SENDMAIL;
-     command << " -F \"ht://Dig Notification Service\" -f ";
-     command << config["htnotify_sender"];
  
      char *token = strtok(to, " ,\t\r\n");
      while (token)
--- 209,230 ----
  void send_notification(char *date, char *email, char *url, char *subject)
  {
    /* Currently unused    int		fildes[2]; */
  
+   // Before we do anything with the email address, we need to sanitize it.
+     static char ok_chars[] = "abcdefghijklmnopqrstuvwxyz\
+ ABCDEFGHIJKLMNOPQRSTUVWXYZ\
+ 1234567890_-.@+";
+ 
+     // If the length of strspn of acceptable chars is NOT the length
+     // Then we have an invalid e-mail address and we must stop it.
+     if (strspn(email, ok_chars) != strlen(email))
+       {
+ 	subject = "SECURITY: Attack Detected!";
+ 	email = config["maintainer"];
+       }
+ 
+     String	to = email;
      String command = SENDMAIL;
  
      char *token = strtok(to, " ,\t\r\n");
      while (token)
*************** void send_notification(char *date, char 
*** 225,237 ****
        token = strtok(0, " ,\t\r\n");
      }
      
      FILE *fileptr;
      if( (fileptr = popen(command.get(), "w")) != NULL ) {
  
        if (!subject || !*subject)
! 	subject = "notification";
!       String	out;
!       out << "From: " << config["htnotify_sender"] << "\n";
        out << "Subject: WWW notification: " << subject << '\n';
        out << "To: " << to.get() << '\n';
        out << "Reply-To: " << config["htnotify_sender"] << "\n";
--- 233,246 ----
        token = strtok(0, " ,\t\r\n");
      }
      
+     command << " -t";
      FILE *fileptr;
      if( (fileptr = popen(command.get(), "w")) != NULL ) {
  
        if (!subject || !*subject)
!         subject = "page expired";
!       String    out;
!       out << "From: ht://Dig Notification Service" << "\n";
        out << "Subject: WWW notification: " << subject << '\n';
        out << "To: " << to.get() << '\n';
        out << "Reply-To: " << config["htnotify_sender"] << "\n";