Bug 4041 - Users can load plugins
Summary: Users can load plugins
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Plugins (show other bugs)
Version: unspecified
Hardware: All other
: P5 normal
Target Milestone: 3.1.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-17 15:32 UTC by Stuart Johnston
Modified: 2005-04-02 10:50 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stuart Johnston 2004-12-17 15:32:23 UTC 
Calling loadplugin from user_prefs works despite the documentation which
suggests that it should not.  It is listed under 'Administrator Settings' in the
manpage for Mail::SpamAssassin::Conf.  Additionally, this could be a source of
security problems - allowing users to execute unsafe code.
Comment 1 Theo Van Dinter 2004-12-17 17:32:31 UTC 
Subject: Re:  New: Users can load plugins

On Fri, Dec 17, 2004 at 03:32:25PM -0800, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> Calling loadplugin from user_prefs works despite the documentation which
> suggests that it should not.  It is listed under 'Administrator Settings' in the
> manpage for Mail::SpamAssassin::Conf.  Additionally, this could be a source of
> security problems - allowing users to execute unsafe code.

Just to verify, this is reproducable with spamd?  "spamassassin" may let this
happen since there's no security issue (it runs as the user running it...)
Comment 2 Stuart Johnston 2004-12-17 17:48:48 UTC 
I don't know.  I don't have spamd setup to test with.

Even if it only happens with spamassassin, it should probably at least give a
warning since it is contrary to the docs and creates unexpected behavior
(default rules don't get loaded).
Comment 3 Theo Van Dinter 2004-12-17 17:57:41 UTC 
Subject: Re:  Users can load plugins

On Fri, Dec 17, 2004 at 05:48:51PM -0800, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> Even if it only happens with spamassassin, it should probably at least give a
> warning since it is contrary to the docs and creates unexpected behavior
> (default rules don't get loaded).

We'd have to give an error for all of the "admin only" options then. ;)

I'll leave this up to other folks, just wanted to make sure spamassassin vs
spamd. :)
Comment 4 Justin Mason 2004-12-17 18:11:09 UTC 
well, I think we should add some doco about it, if it's not already there.  but
-- whew! ;)
Comment 5 Daniel Quinlan 2005-04-02 19:50:25 UTC 
touched up docs, closing as FIXED in 3.1.0