From c4d118162f1748a9bb4478ec86431495d3132166 Mon Sep 17 00:00:00 2001 From: IKEDA Soji Date: Tue, 19 Jan 2021 11:55:17 +0900 Subject: [PATCH 1/2] Remove undocumented backtick syntax in sympa.conf that allows to execute arbitrary code --- src/lib/Conf.pm | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/lib/Conf.pm b/src/lib/Conf.pm index ce5ce13d0..e8f99cc3a 100644 --- a/src/lib/Conf.pm +++ b/src/lib/Conf.pm @@ -1728,12 +1728,6 @@ sub _load_config_file_to_hash { my ($keyword, $value) = ($1, $2); $value =~ s/\s*$//; - # Special case: `command` - if ($value =~ /^\`(.*)\`$/) { - $value = qx/$1/; - chomp($value); - } - $keyword = $Sympa::Config::Schema::obsolete_robot_params{$keyword} // $keyword; -- GitLab From 90368b060b598a04861a1b871e7bad3bab43328c Mon Sep 17 00:00:00 2001 From: IKEDA Soji Date: Sat, 23 Jan 2021 15:43:53 +0900 Subject: [PATCH 2/2] Prevent loading sympa.conf if it contains backtick. --- src/lib/Conf.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/lib/Conf.pm b/src/lib/Conf.pm index e8f99cc3a..551289da6 100644 --- a/src/lib/Conf.pm +++ b/src/lib/Conf.pm @@ -1728,6 +1728,11 @@ sub _load_config_file_to_hash { my ($keyword, $value) = ($1, $2); $value =~ s/\s*$//; + # Deprecated syntax: `command` + if ($value =~ /^\`(.*)\`$/) { + die sprintf "%s: Backtick (`...`) in sympa.conf is no longer allowed. Check and modify configuration.\n", $value; + } + $keyword = $Sympa::Config::Schema::obsolete_robot_params{$keyword} // $keyword; -- GitLab