On 2011-09-11 at 16:19 +0000, Steffen Heil (Mailinglisten) wrote:
> Whitespaces shoud not matter as long as the string is double quotet, right?
> Like this: pass="ab\$c d\!ef"
That gets the whitespace into the string which is used as the result of
the later expansion; without looking at where it's being expanded (eg, a
filename?) it's hard to say whether it matters.
> > Exim won't re-expand the string within one expansion, unless you
> explicitly
> > use ${expand:...}; it's a bit like why in shell you can have:
> > foo='`bad-stuff`'
> > bar="$foo"
> > and "bar" ends up holding the same content as "foo". If you are passing
> the
> > data somewhere subject to expansion, then ${quote:...} helps.
>
> So, as my arguments always come from an extraction, I do not use
> ${quote:...} as it would not be re-expanded anyway?
> I fear I did not get the point.
You do not _normally_ need quote, if the data is not being used in a way
which is subject to re-parsing.
> > For shell: Exim doesn't use shell for constructing the pipe command-line,
> so
> > variables are passed safely in as individual items in argv; however, the
> > "command" option _is_ subject to expansion, so you _will_ need to use
> > ${quote:...} on the "command" line for the pipe driver, to protect against
> > results containing '$'.
>
> Isn't that a contradiction to "no re-expansion"?
No; each item is expanded in turn, _instead_of_ the option being
expanded as a whole.
> I read that multiple times and again now. However it is unclear to me about
> all those possible layers of quotation involved. The first expansion is
> something I need to call the lookup/extract operator. Yet their output
> should be passed through directly. If no re-expansion takes place, that
> should fit. Do I need to take care of something like shell expansions? If no
> shell is involved, I think I don't.
Correct.
As always, the best way to get a feel for what's happening is to use
-be, or use -d+expand, and run real mails through, with various
arbitrary bits of data.
For instance, the source file for building my CDBs for alias lookup is
in lsearch format (roughly), and it contains these rules:
----------------------------8< cut here >8------------------------------
# + could be in here if it weren't for plus-addressing in use
a~`*&^%$#!_-={|}'/?b: phil.pennock
# And then, because I'm a wuss, I have filters against permitted
# characters in recipient addresses coming in over SMTP. Within
# the local domain, I deny these in local_parts: @%!/|
a~`*&^$#_-={}'?b: phil.pennock
"X'); DROP TABLE domains; DROP TABLE passwords; --": phil.pennock
----------------------------8< cut here >8------------------------------
So, I recommend setting up the address <a~`*&^$#_-={}'?b@???>
as a useful test.
Regards,
-Phil
