[exim-dev] [Bug 1454] Adding option -oMm to supply message r…

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1454] Adding option -oMm to supply message reference
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1454




--- Comment #4 from Todd Lyons <tlyons@???> 2014-04-24 15:13:34 ---
Can you see if the patch still works with this small change:

-      else if (Ustrcmp(argrest, "Mm") == 0) message_reference = argv[++i];
+      else if (Ustrcmp(argrest, "Mm") == 0)
+        {
+        if (trusted_config && mac_ismsgid(argv[i+1]) )
+          message_reference = argv[++i];
+        else
+          DEBUG(D_any) debug_printf("-oMm must be a valid message ID, called
by a trusted user/config\n");
+        }


I don't like arbitrarily being able to set a value that could be used to log
erroneous or misleading message id's. The way you are using it is fine, but
any local account being able to specify a message-id could produce falsified
audit logs, and we really need to prevent that. You essentially want -E but
without the error condition being set, so the feature needs a bit extra
protection.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email