On (2003/11/20 13:44), Adam H. Pendleton wrote:
> # PgSQL system aliases
> pgsql_sys_aliases:
> driver = redirect
> allow_fail
> allow_defer
> data = ${lookup pgsql{SELECT dest FROM email_aliases \
> WHERE alias='${local_part}' AND type='system'}}
SQL injection time. :-)
> My questions are:
>
> 1. Why is exim performing this system aliases lookup for a from
> address? Shouldn't sender verify be done somewhere else?
If the sender address is in a domain that Exim believes is local, Exim
will (and should) perform whatever lookups necessary to determine
whether it's a deliverable address in that local domain, assuming sender
verification is enabled.
> 2. What can I do to prevent this from being a real problem?
See the section "More about MySQL and PostgreSQL and Oracle" in the
spec. You're looking for quote_pgsql. :-)
This, incidentally, is one of the reasons you should give serious
consideration to giving Exim read-only access to your database. :-)
Ciao,
Sheldon.
