From: Santiago Vila <sanvila@debian.org>
Subject: Upgraded to confirm-1.3.5
X-Debian-version: 3.15-18

--- /dev/null
+++ b/SmartList/bin/confirm_sub
@@ -0,0 +1,93 @@
+#! /bin/sh
+
+# That's the modified original SmartList subscribe script to overcome security
+# implications and limititations caused by multigram. It's only used if 
+# require_confirm is set to yes
+
+test=test		# /bin/test
+echo=echo		# /bin/echo
+cat=cat			# /bin/cat
+sed=sed			# /bin/sed
+grep=grep		# /bin/grep
+date=date		# /bin/date
+formail=formail		# /usr/local/bin/formail
+multigram=multigram	# ../.bin/multigram
+arch_retrieve=arch_retrieve	# ../.bin/arch_retrieve
+
+tmprequest=tmp.request
+tmpfrom=tmp.from
+
+$test -z "$listaddr" &&
+ $echo "Don't start this script directly, it is used in rc.request" && exit 64
+
+subscraddr="$1"
+$test -z "$subscraddr" &&
+ $echo "Error: missing address to subscribe" && exit 64
+
+if $test ! -r dist
+then
+  $echo "subscribe: Where did the dist file go?" 1>&2
+  $echo "(Only addresses below this line can be automatically removed)" >>dist
+fi
+
+case "$X_ENVELOPE_TO" in
+  *$list-request*) wrongaddress="" ;;
+  *) wrongaddress="WARNING:
+	Please try to use '$listreq'
+	the next time when issuing (un)subscribe requests.
+" ;;
+esac
+
+if $test -f subscreen
+then
+  ./subscreen "$subscraddr" || exit 1
+fi
+
+$grep '^Subject: Re:' <$tmprequest >/dev/null &&
+  wrongaddress="${wrongaddress}WARNING:
+	Send in a new mail, INSTEAD OF REPLYING
+	the next time when issuing (un)subscribe requests.
+"
+
+$multigram -a "$subscraddr" dist >/dev/null
+
+sender=`$formail -rtzcxTo: <$tmprequest`
+
+$test -z "$subscribe_log" ||
+ $echo "subscribe: $subscraddr by: $sender  `$date`" >>$subscribe_log
+
+case $subscraddr in
+   *$sender*) sender="$subscraddr" ;;
+   *) sender="$sender $subscraddr" ;;
+esac
+
+( $formail -i"From: $listreq" -rtA"X-Loop: $listaddr" <$tmprequest
+
+  $test ! -z "$wrongaddress" && $echo "$wrongaddress" && wrongaddress=""
+
+  $echo "You have added to the subscriber list of:"
+  $echo ""
+  $echo "	$listaddr"
+  $echo ""
+  $echo "the following mail address:"
+  $echo ""
+  $echo "	$subscraddr"
+  $echo ""
+  $echo "By default, copies of your own submissions will be returned."
+  $echo ""
+
+  $cat $subscribetxt
+
+  $sed -e 's/^/>/' $tmprequest
+) | $SENDMAIL $sendmailOPT $sender
+
+if $test -f $subscribefiles
+then
+  $formail -X "" -i "Reply-To: $subscraddr" -i "Subject: archive" \
+   <$tmprequest >$tmpfrom
+  $cat $tmpfrom >$tmprequest
+  $echo "" >>$tmprequest
+  $cat $subscribefiles >>$tmprequest		# setup fake archive commands
+  $echo $subscraddr >$tmpfrom
+  exec $arch_retrieve <$tmprequest		# the point of no return
+fi
--- a/SmartList/bin/extraddr
+++ b/SmartList/bin/extraddr
@@ -78,17 +78,11 @@
      case $a in
 	$listreq|$listaddr) ;;
 	?*) subscraddr=$a
-	   $echo " $subscraddr" >$tmpfrom ;;
+	   $echo "$subscraddr" >$tmpfrom ;;
      esac
   fi
 done
 
-subscraddr=""	# let multigram eliminate trailing and leading punctuation
-
-address=`$formail -k -xSubject: <$tmprequest |
- $multigram -b1 -x$listreq -x$listaddr -l$off_threshold $tmpfrom |
- $sed -e 's/^ *[^ ]* *[^ ]* *[^ ]* *\([^ ]*\)/\1/' `
-
 for a in $address ""
 do
   $test -z "$subscraddr" && subscraddr=$a
@@ -97,7 +91,7 @@
 $test -z "$subscraddr" && subscraddr=$fromaddr
 
 # log the attempt
-$echo "$0: subscription request from $fromaddr" >> log
+$echo "$0: subscription request from $fromaddr" >>$subscribe_log
 
 if [ -z $ADR ]; then
   $formail -f -I"X-RFC822Conform: $subscraddr" < $tmprequest
--- a/SmartList/etc/rc.request
+++ b/SmartList/etc/rc.request
@@ -5,6 +5,10 @@
 # New mails can be temporarily stalled by creating the file rc.lock (either in
 # ../.etc for all lists or in the current directory for this list only).
 
+# modified for security reasons and better handling for email addresse
+# with non alphanumeric chars at the beginning off local part
+# 11 Feb. 2005, Werner Reisberger, werner at pure dot ch
+
 # modified for confirmation messages and multiple maintainers 
 # 11 Dec. 1998, Werner Reisberger, werner at pure dot ch
 
@@ -305,10 +309,22 @@
      
      :0
      * require_confirm ?? y
-     * ! $^X-Diagnostic: $\subscraddr tried to confirm subscription
-     {	}
+     * ! dublette ?? y
+     * auto_subscribe ?? y
+     * $^X-Diagnostic: $\subscraddr tried to confirm subscription
+      {
+	    :0 W ${cc_requests:+c}:dist.lock
+	    | confirm_sub $subscraddr
+
+	    :0 awfh
+	    | formail -A "X-Diagnostic: Added to the subscriber list"
+
+	    :0 Ewfh
+	    | formail -A "X-Diagnostic: Tried to subscribe"
+	  }
 
      :0 E
+     * ! require_confirm ?? y
      * ! dublette ?? y
      * auto_subscribe ?? y
       {
