From 3469d9e7f679216af70f5d8c10f2935aae83ffa3 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 20 Mar 2024 12:45:49 +0000 Subject: [PATCH] Validate local parts for messages.openstreetmap.org to untaint them --- roles/web-frontend.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/web-frontend.rb b/roles/web-frontend.rb index 2549e98dc..b6d80ae8c 100644 --- a/roles/web-frontend.rb +++ b/roles/web-frontend.rb @@ -38,7 +38,8 @@ default_attributes( :messages => { :comment => "messages.openstreetmap.org", :domains => ["messages.openstreetmap.org"], - :command => "/usr/local/bin/deliver-message $local_part", + :local_parts => ["^c-(\\\\d+)-(\\\\d+)-(.*)\\$", "^m-(\\\\d+)-(.*)\\$"], + :command => "/usr/local/bin/deliver-message $local_part_data", :user => "rails", :group => "rails", :home_directory => "/srv/www.openstreetmap.org/rails", -- 2.45.1