Re: [exim] Quoting questions

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: Steffen Heil (Mailinglisten)
CC: exim-users@exim.org
Sujet: Re: [exim] Quoting questions
On 2011-09-11 at 08:52 +0000, Steffen Heil (Mailinglisten) wrote:
> While this is no answer to my question, it is yet way better.


That's why I offered it. :)

> 4) driver = redirect data = ${expand:${extract{forward}{$address_data}}}


> Incoming mail for a@??? was correctly redirected to a@???, yet -be tells
> me the expansion yielded "$local_part@???".
> Why is this working?


Because you wrote ${expand:...} around the extraction.

> BTW: So it seems the only 2 characters I need to escape in my files are "
> and \. I can simple prefix both with \. Right? (Assuming no #0, #10, #13 are
> used...)


Also consider whitespace. There's a ${quote:...} expansion operator
that may help.


On 2011-09-11 at 09:14 +0000, Steffen Heil (Mailinglisten) wrote:
> 5) driver = pipe command = /folder/${extract{trigger}{$address_data}}.sh
> ${extract{trigger_param}{$address_data}{$value}{}}
>
> While I know that "trigger" will always contain safe data, I cannot be sure
> about trigger_param.
> I am not using a shell from the exim side, but the targets are .sh-scripts,
> implicitly invoking a shell.
>
> What do I have to do to make those arguments safe?
> Against exim string expansion and against shell expansion (I am not sure, if
> it applies in this scenario anyways).


Exim won't re-expand the string within one expansion, unless you
explicitly use ${expand:...}; it's a bit like why in shell you can have:
foo='`bad-stuff`'
bar="$foo"
and "bar" ends up holding the same content as "foo". If you are passing
the data somewhere subject to expansion, then ${quote:...} helps.

For shell: Exim doesn't use shell for constructing the pipe
command-line, so variables are passed safely in as individual items in
argv; however, the "command" option _is_ subject to expansion, so you
_will_ need to use ${quote:...} on the "command" line for the pipe
driver, to protect against results containing '$'. After that, it's on
you to make sure that your shell script handle parameters safely.

(Actually, each whitespace-separated item in the command option is
expanded separately, so as to keep results with space characters intact
as one item, so if using expansions in the command line, you need to do
so a little differently to normal).

You may find "29.3 How the command is run" helpful.

-Phil