[Dovecot] Developing new Dspam Plugin
Timothy White
weirdit at gmail.com
Wed Jun 28 17:35:21 EEST 2006
> > Also, you should lazily init the mysql connection and then either close
> > it, or keep it open and re-use it, currently you don't close it but
> > re-init the mysql context and reconnect, that's probably going to create
> > a bunch of stale connections to the database.
>
> Hmmm, show's that I'm a bad programmer. I can't believe I left
> connections open, I don't normally do that! This lib-dict stuff sounds
> good.
> Timo, do you have an example of how to use it? Otherwise, for now I'll
> just close the connections.
Ok, I've now fixed this, by initialising a SQL connection once, and
then using SQL ping to check if it's alive, and if it's not the give
an error (I'll try and make it disconnect and reconnect later).
I just realised that it may be possible to exploit the snprintf and
send strange commands to the server, for this reason, the user that
the plugin uses, should only be able to run the 2 procedure's. I have
no idea how to make this secure, or if it is secure or not. Any ideas?
(e.g. snprintf(query, 20+MAXSIGLEN, "CALL SPAM(\"%s\")", signature);
If someone modifies the header, as long as it's within the MAXSIGLEN
then they can effect the query?)
Anyway, I'm off to try and work out why my DB is doing strange things,
then I'll update my wiki, and check for compat with RC1
Tim
--
Linux Counter user #273956
More information about the dovecot
mailing list