I can confirm that patch works as expected.
Patch does not apply cleanly on my SA (3.4.2-1~deb9u2) but only for
cosmetic differences, attached a patch that wok on SA 3.4.2-1~deb9u2.
Thanks!
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--- Greylisting.pm.orig 2019-12-19 11:27:35.535866138 +0100
+++ Greylisting.pm 2019-12-19 11:30:59.132703809 +0100
@@ -21,6 +21,7 @@
use strict;
use Mail::SpamAssassin::Plugin;
+use Mail::SpamAssassin::Util qw(untaint_var);
use NetAddr::IP;
use File::Path qw(mkpath);
our @ISA = qw(Mail::SpamAssassin::Plugin);
@@ -71,9 +72,25 @@
}
Mail::SpamAssassin::Plugin::dbg("GREYLISTING: called function");
- $optionhash =~ s/;/,/g;
+ #$optionhash =~ s/;/,/g;
# This is safe, right? (users shouldn't be able to set it in their config)
- %option=eval $optionhash;
+ #%option=eval $optionhash;
+
+ # ... no, evaling random strings is not safe!!!
+ # Ditch eval and parse hash string manually to maintain backwards compatibility
+ $optionhash =~ s/^\s*\(\s*//;
+ $optionhash =~ s/\s*\)\s*$//;
+ foreach my $opt (split(/\s*;\s*/, $optionhash)) {
+ my @vals = split(/\s*=>\s*/, $opt, 2);
+ next unless defined $vals[1];
+ # Sanitize away quotes and any unneeded characters, then untaint
+ foreach (@vals) {
+ s/[^\w\/-]//gs;
+ $_ = untaint_var($_);
+ }
+ $option{$vals[0]} = $vals[1];
+ }
+
$self->{'rangreylisting'}=1;
foreach my $reqoption (qw ( method greylistsecs dontgreylistthreshold
