Bug 7790 - Error in pyzor_options option parsing
Summary: Error in pyzor_options option parsing
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Plugins (show other bugs)
Version: 3.4.3
Hardware: All All
: P2 minor
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-27 17:19 UTC by azotov
Modified: 2020-01-28 17:24 UTC (History)
2 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description azotov 2020-01-27 17:19:45 UTC
For pyzor_options option only characters in the range [0-9A-Za-z ,._/-] are allowed for security reasons. But valid pyzor option can include '=' character (--homedir=HOMEDIR, --log-file=LOGFILE, etc). Please, add '=' to the list of allowed characters for pyzor_options.
Comment 1 RW 2020-01-27 22:07:53 UTC
I don't know whether there was a good reason to omit  '=', but it isn't actually essential, you can use 

  --homedir HOMEDIR --log-file LOGFILE 

It is confusing though.
Comment 2 azotov 2020-01-28 17:24:19 UTC
I have tried pyzor 1.0 with "--homedir HOMEDIR" options format and it worked. So the issue importance can be lowed to "minor".

But I still think that it would be useful to allow '=' in pyzor_options or to mention "--homedir HOMEDIR" format in spamassassin documentation. Running "pyzor --help" lists only "--homedir=HOMEDIR" options format so it is not evident that it is possible to use ' ' instead of '='.

P.S. It may be also useful to add a warning message if pyzor_options value contains forbidden characters and add modify "internal error, python traceback seen in response\n" warning message in Pyzor.pm by adding actual python traceback to it.

I am using spamassassin as a part of mimedefang and was very surprised to see an error message from mimedefang-multiplexor about python traceback as both spamassassin and mimedefang are written in perl, not python :). It was rather difficult to find out that actual reason of these messages in my case was the following: spamassassin silently ignored my custom pyzor_options due to '=' characters and run pyzor without any options and pyzor tried to create homedir in default (i.e. wrong) location and failed with python traceback due to lack of permissions to do that.