Prior to V8.10,
sendmail would not screen header lines to make
sure they contained no null (zero) bytes. Instead, such null bytes
were passed through, and sometimes caused misinterpretation of
addresses and the like.
It might seem impossible that a null byte could appear in a string
because the C-language string library routines use a null character
to terminate all strings. But consider the case of a hexadecimal 0x80
character. Such a character has the high bit set, but when delivery
is to a 7-bit-only site, sendmail will strip the
high bit from 0x80, leaving behind a new 0x00 value in the middle of
a string. A null byte!
Beginning with V8.10, sendmail offers a way to
strip such null bytes from headers before sending those headers
onward. The F=1 delivery agent flag, when set,
tells sendmail to strip all null bytes that it
finds from all headers. Note that only the headers in the header
portion of the message are screened. MIME headers in the body of the
message are not screened.
The F=1 delivery agent flag is not set by default
for any delivery agent. To add it, just use the MODIFY_MAILER_FLAGS
command (See this section). In the following, for
example, we add it to the smtp class of delivery
agents:
MODIFY_MAILER_FLAGS(`SMTP', `+1')
In general, this delivery agent flag should be set for outbound
delivery agents and for local, final delivery agents. In both, there
is a small vulnerability to forgeries that use the hex 80 value.
Consider:
From: friend0x80@spam.site
If the 0x80 were to be converted to a zero, the
message might wrongly appear to be from a friend on the local
machine.
