Re: [exim] Handling addresses with apostrophe

Top Page

Reply to this message
Author: Phil Pennock
To: Odhiambo Washington
CC: exim users
Subject: Re: [exim] Handling addresses with apostrophe
On 2011-01-26 at 18:56 +0300, Odhiambo Washington wrote:
> Funnily, I still don't know how to handle an address such as
> john'doe@??? <john%27doe@???> with Exim.
> Anybody doing it?

Yes. You don't percent-hex-encode addresses in email.

Here are two addresses which are perfectly valid and *explicitly*
configured on my mail-system, not handled by defaults:


"X'); DROP TABLE domains; DROP TABLE passwords; --"@???

I hope you know your shell quoting rules, if you want to test those.

> What are the dangers of having such an address working? Does M Sex Change
> allow it?

It took me a moment to figure out what you were talking about and my
first glance over the mail, seeing those words, led me to flag it as
spam before the name caught up and I went back and unflagged it.

While I understand that it's not always feasible to be polite about some
of the competition, we can do better than stooping to those sorts of
insults. I don't want to see the Exim community be a place where that
sort of thing, about any vendor, is accepted unchallenged.

The dangers: if you wrote your system and didn't use ${quote:...} style
rules in the appropriate places, while handling remote attacker-supplied
data, you might end up with your rules not doing what you think they
mean. Be careful.