seanthegeek
commented
3 months ago I'm thinking we can add three options to the config file:
always_use_local_files- Disables the download of the reverse DNS maplocal_reverse_dns_map_path- Overrides the default local file path to use for the reverse DNS mapreverse_dns_map_url- Overrides the default download URL for the reverse DNS map
That would allow users to pick exactly how they would like parsedmarc to load the map.
I built the current behavior to encourage others to contribute to the map, and to avoid users needing to upgrade the parsedmarc package just to get an updated map, or riequire me to make new releases just for updated maps for anything other than correcting errors (like the last few releases 😅).
kitzler-walli
Szasza
In https://github.com/domainaware/parsedmarc/commit/18f7508a1f09db554bc8a31bb26acc79d5c37c3f#diff-953601e25cfe2a31ac1b2602fcab0be206d5c7bb860165d66679f455ead64fcfR335 a direct download from GitHub has been introduced.
Unfortunately the download happens before the code is having a chance to use the map file sitting with the code The only ways to avoid this from happening are:
This means that if a malicious actor gains access to the GitHub repo, a manipulated CSV file will automatically be downloaded for all
parsedmarcinstallations.It would be ideal to use the local file as a first option. Alternatively, it would be great to be able to turn off the automatic download without rendering the whole
parsedmarcrun offline, or maybe being able to provide the download URL as a config option, so the file can be refreshed in a more controlled manner.@seanthegeek if you are ok with it, I am happy to rework the reverse DNS map usage slightly to address the above.