aboutsummaryrefslogtreecommitdiffstats
path: root/design-notes.html
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2005-07-20 15:22:11 +0000
committerMatthias Andree <matthias.andree@gmx.de>2005-07-20 15:22:11 +0000
commitf031aecee9d45d9604b87e9f26ca3e6252ff6a76 (patch)
tree855242f4cec88caa7175d1cf86d246117c201764 /design-notes.html
parent7c6e7ec184cd463b925c812d0803129b3f1e160b (diff)
downloadfetchmail-f031aecee9d45d9604b87e9f26ca3e6252ff6a76.tar.gz
fetchmail-f031aecee9d45d9604b87e9f26ca3e6252ff6a76.tar.bz2
fetchmail-f031aecee9d45d9604b87e9f26ca3e6252ff6a76.zip
Add security thoughts.
svn path=/trunk/; revision=4144
Diffstat (limited to 'design-notes.html')
-rw-r--r--design-notes.html17
1 files changed, 17 insertions, 0 deletions
diff --git a/design-notes.html b/design-notes.html
index ffd82bf8..149d67b4 100644
--- a/design-notes.html
+++ b/design-notes.html
@@ -33,6 +33,23 @@ ESR made previously, and the differences and new directions will be laid
out in this document. It is therefore a sort of a TODO document, until
the necessary code revisions have been made.</p>
+<h2>Security</h2>
+
+<p>Fetchmail was handed over in a pretty poor shape, security-wise. It will
+happily talk to the network with root privileges, use sscanf() to read
+remotely received data into fixed-length stack-based buffers without
+length limitation and so on. A full audit is required and security
+concepts will have to be applied. Random bits are:</p>
+
+<ul>
+ <li>code talking to the network does not require root privileges and
+ needs to run without root permissions</li>
+ <li>all input must be validated, all strings must be length checked,
+ all integers range checked</li>
+ <li>all types will need to be reviewed whether they are signed or
+ unsigned</li>
+</ul>
+
<h2>SMTP forwarding</h2>
<p>Fetchmails multidrop and rewrite options will process addresses