Jim Cheetham, 2011-06-07 11:55:
> A user managed to submit an email to a local_part beginning with a colon
> (:info@domain)
>
> Normally this would be rejected early on, but their mail client managed
> to sneak the offending character in by wrapping it in double quotes ...
> (":info"@domain)
That's not sneaking in, it's just quoting. His MUA probably dit it for him.
> This then caused a paniclog entry, because I was using $local_part in a
> DB lookup : "... and users.lhs='$local_part' and ..." and the message
> remained undelivered. Every time the queue is run, this message panics
> again.
Big mistake. You should always quote variables you use for SQL lookups,
e.g. "... and users.lhs='${quote_mysql:$local_part}' and ...". Otherwise
you are prone to SQL injection attacks. (See also
http://xkcd.com/327/).
> I tried playing with a test in acl_test_rcpt for this on a scratch
> system, but didn't manage to get it right, even though I remembered to
> double the colons :-)
>
>> deny message = Restricted characters in address
>> local_parts = ^[./|] : ^.*[::@%!] : ^.*/\\.\\./
This works here. Run a test session with "exim -d+expand -bh
some.ip.add.ress" to see what goes wrong.
