Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not disclose dqs api key in default rule description #65

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

photoninger
Copy link
Contributor

remove $prs->{zone} from default rule description.
zone contains the DQS API key.

remove $prs->{zone} from default rule description
remove $prs->{zone} from default rule description
@ricalfieri
Copy link
Collaborator

are you using the report template in emails that the end user receives? because the disclosure would only happen if you run "spamassassin -t" or, probably, if you use the report_template.

in that case it would be probably more useful to substitute the zone with, at least, the hash of the listed component, for debugging purposes

@photoninger
Copy link
Contributor Author

Only admins get reports from spamassassin.
But others might also send reports to end users and if they don't configure a description for the checks, their DQS API key might leak.
In my opinion it is better to prevent such mistakes. And in the case of HBL there is only one zone which is used, so there is no need to use the zone name in the description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants