From e4cb191047943e47b82b6ca87d29d8d42681b873 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 5 Jan 2009 06:34:59 +0000 Subject: [PATCH] Don't do printf interpolation on config('me') The code feeds the results of $session->config('me') to sprintf as part of the format string. In practice, this is probably not a problem since hostnames don't contain percent signs. However, it triggers a taint warning in perl 5.10, making cram-md5 auth unusable. This patch rewrites the sprintf to insert the 'me' value using a %s format specifier. --- lib/Qpsmtpd/Auth.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Qpsmtpd/Auth.pm b/lib/Qpsmtpd/Auth.pm index 6e9a2a5..635491a 100644 --- a/lib/Qpsmtpd/Auth.pm +++ b/lib/Qpsmtpd/Auth.pm @@ -60,8 +60,8 @@ sub SASL { # rand() is not cryptographic, but we only need to generate a globally # unique number. The rand() is there in case the user logs in more than # once in the same second, of if the clock is skewed. - $ticket = sprintf( "<%x.%x\@" . $session->config("me") . ">", - rand(1000000), time() ); + $ticket = sprintf( '<%x.%x@%s>', + rand(1000000), time(), $session->config("me") ); # We send the ticket encoded in Base64 $session->respond( 334, encode_base64( $ticket, "" ) );