[SACVS] CVS: spamassassin Razor2.patch,1.4,1.5

Update of /cvsroot/spamassassin/spamassassin
In directory sc8-pr-cvs1:/tmp/cvs-serv23439

Modified Files:
        Razor2.patch 
Log Message:
revised patch and instructions


Index: Razor2.patch
===================================================================
RCS file: /cvsroot/spamassassin/spamassassin/Razor2.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -b -w -u -d -r1.4 -r1.5
--- Razor2.patch        12 Sep 2003 22:49:41 -0000      1.4
+++ Razor2.patch        22 Sep 2003 22:57:05 -0000      1.5
@@ -1,38 +1,67 @@
 This information is originally from http://www.ijs.si/software/amavisd/
 (Thanks to amavisd-new, Mark Martinec, and Vivek Khera!)
 
-If SpamAssassin is running in taint-mode (the default) and is configured
-to call Vipul's Razor 2.22 or higher, then Razor2 checks will fail because
-the Razor2 code is not quite taint-safe.  The problem is still present in
-2.36 and the SpamAssassin developers do not know when it will be fixed so
-please don't ask us!
-
-Razor2 fails because reading its config file (routine read_file in
-Razor2/Client/Config.pm) produces tainted values.  Razor2/Client/Core.pm
-has a similar problem.
+If SpamAssassin is running in taint-mode (the default) and is configured to
+call Vipul's Razor 2.22 or higher, then Razor2 checks will fail because the
+Razor2 code is not quite taint-safe.  The problem is still present in 2.36
+and the SpamAssassin developers do not know when or how this will be
+addressed so please don't ask us!
 
 To apply: cd to the directory /usr/{lib,share}/perl5/.../Razor2 (wherever
-Client/Config.pm and Client/Core.pm are located) and apply the patch
-directly with:
+the Client subdirectory is located) and apply the patch directly with:
 
-  patch -p0 < patchfile
+  patch -p0 < Razor2.patch
 
 or apply to the Razor2 source tree with:
 
-  patch -p0 -d lib/Razor2 < patchfile
+  patch -p0 -d lib/Razor2 < Razor2.patch
 
---- Client/Config.pm~  2002-11-25 19:13:59.000000000 +0100
-+++ Client/Config.pm   2002-11-11 19:29:17.000000000 +0100
-@@ -373,6 +373,7 @@
+Please make sure that no unpatched copies of Razor are installed on your
+system.  Sometimes, there is more than one installed copy.
+
+--- Client/Agent.pm~   Tue Nov 19 16:26:05 2002
++++ Client/Agent.pm    Sun Sep 21 23:20:47 2003
+@@ -969,6 +969,7 @@
+     my @fns;
+     if (opendir D,$self->{razorhome}) {
+         @fns = map "$self->{razorhome}/$_", grep /^server\.[\S]+\.conf$/, 
readdir D;
++        @fns = map { /^(\S+)$/, $1 } @fns; # untaint
+         closedir D;
+     }
+     foreach (@fns) {
+--- Client/Config.pm~  Thu Nov 14 14:47:01 2002
++++ Client/Config.pm   Sun Sep 21 23:18:52 2003
+@@ -323,9 +323,11 @@
+         if ($fn =~ /^(.*)\/([^\/]+)$/) {
+             my $dir = $1;
+             $fn = readlink $fn;
++            $fn = $1 if $fn =~ /^(\S+)$/; # untaint readlink
+             $fn = "$dir/$fn" unless $fn =~ /^\//;
+         } else {
+             $fn = readlink $fn;
++            $fn = $1 if $fn =~ /^(\S+)$/; # untaint readlink
+         }
+     }
+ }
+@@ -366,13 +368,13 @@
+         chomp; 
+         next if /^\s*#/;
+         if ($nothash) {
+-            s/^\s+//; s/\s+$//;
++            next unless s/^\s*(.+?)\s*$/$1/; # untaint
+             $conf->{$_} = 7;
+             push @lines, $_;
+         } else { 
              next unless /=/;
-             my ($attribute, $value) = split /\=/, $_, 2; 
-             $attribute =~ s/^\s+//; $attribute =~ s/\s+$//;
-+            $value = $1  if $value =~ /^(.*)$/;  # untaint!
+-            my ($attribute, $value) = split /\=/, $_, 2; 
+-            $attribute =~ s/^\s+//; $attribute =~ s/\s+$//;
++            my ($attribute, $value) = /^\s*(.+?)\s*=\s*(.+?)\s*$/; # untaint
++            next unless (defined $attribute && defined $value);
              $conf->{$attribute} = $self->parse_value($value);
          }
          $total++;
---- Client/Core.pm~    2002-11-25 19:07:38.000000000 +0100
-+++ Client/Core.pm     2002-11-25 18:55:35.000000000 +0100
+--- Client/Core.pm~    Wed Nov 13 12:01:10 2002
++++ Client/Core.pm     Sun Sep 21 23:20:21 2003
 @@ -216,8 +216,10 @@
          foreach $rr ($query->answer) { 
              my $pushed = 0;



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf