Re: Sendmail 8.6.10: what's different?

[cwe () it kth se (Christian Wettergren)]

| On Thu, 23 Feb 1995, der Mouse wrote:
| > cleanstrcpy(), referred to several times above, is like strcpy, but it
| > strips newlines and copies only a restricted set of characters:
| > letters, digits, and !#$%&'*+-./^_`{|}~ - why that set was chosen,
| > there's no indication.

The reason for that set of characters are that it is the characters that
"divide" input into tokens in /bin/sh.

CERT once recommended me to use the following set of filtered characters 

   '"', '*', '&', '|', '$', ';', '`', '\', '=', '?', '<', '>', 
   '!', '(', ')', '\n', '{', '}', '[', ']', '^', '`'
   
that is "\"*&|$;'\\=?<>!()\n{}[]^`"

If we diff the two sets, we get
common:    !$*&|'^`{} 
sendmail:  #%+-./_~
cert:      ";\=?<>()\n[]

There are a few ones missing above, that maybe should be included, like
'[' and ']'. There is also a number of additional characters '#', '%',
'+', '-', '.', '/', '_' and '~', which I take as erring on the safe side,
like avoiding the possibility of specifying paths and arguments to programs.

| Actually, I like the approach of "explicitly listing what we know is 
| good", rather than "exclude characters that we know of that are bad" - 
| it's a lot safer to verify and has less suprises down the track.

Do you mean that one could miss a few of them? Unthinkable! :-)

/Christian Wettergren