[Mailman-Users] Long Email Addressess

Christopher G. Petrilli petrilli at amber.org
Thu Mar 4 01:17:47 CET 1999

On Wed, Mar 03, 1999 at 04:48:10PM -0700, John-David Childs wrote:
> FYI: I know next to nothing about Python, some I'm not able to
> specifically scan the code (yet) looking for the big obvious security
> holes...but I did run across something interesting.

Python should have NO buffer-overrun problems as all strings are ALWAYS
dynamically allocated, as are all other structurs.  There's just simply
no "fixed" sizes used.

> I tried a very simple/stupid buffer overflow test.  What would happen if I
> tried to subscribe a long email address?  My test case was only about 300
> characters...I'll probably try some really long usernames later but in any
> case I found that sendmail would choke on the email address I entered
> (prescan: token too long) yet mailman would think that the addy was
> sucessfully subscribed.

Um, from memory, I don't think that RFC822 actually limits email address
sizes :-)  Certainly there is NO limit on DNS theoretically, both to the
number of subdomains, nor the size of each level.  So, this would be a
sendmail bug, in my eye.

| Christopher Petrilli                      ``Television is bubble-gum for
| petrilli at amber.org                          the mind.''-Frank Lloyd Wright

More information about the Mailman-Users mailing list