Re: [Exim] Security when using quote_mysql?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: Jakob Hirsch
CC: exim-users
Sujet: Re: [Exim] Security when using quote_mysql?
On Sun, 17 Mar 2002, Jakob Hirsch wrote:

> According to exim-spec 6.12 backslashes should be escaped when using
> quote_mysql. We use something like
> where local_part="${quote_mysql:${extract {1}{@%!}{$1}}}"


What exactly is the setting you use?

> Am I using quote_mysql in the wrong way or is this really a security
> issue?


I can't really tell without more data. There may be some problem with
the ordering of what is done.

> And even worse, I really don't think that such a verbose error message
> should be sent back in the SMTP dialogue:


It should be different in Exim 4.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.