${dlfunc is not included in the default build. If it is included then
anyone who can modify the configuration file can insert arbitrary code
into Exim, since ${dlfunc includes the filename of the shared object to be
loaded. IIRC when developing the feature I thought this was OK since it's
roughly as dangerous as ${run. Clearly this isn't in fact OK.
I propose to change the feature to allow the shared object to be specified
at compile time instead of run time. This has the advantage of making the
configuration syntax less cluttered. For compatibility I'll allow a set of
acceptable shared object parent directories to be compiled in, so if a
filename is specified in ${dlfunc then it can be checked for safety.
The idea is similar logic to David's config file safety work.
PS. sorry for my lack of contributions last week. I couldn't keep up with
the rest of you so never had anything to add!
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
