https://bugs.exim.org/show_bug.cgi?id=1643
Phil Pennock <pdp@???> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #1 from Phil Pennock <pdp@???> ---
Every piece of documentation on `server_secret` shows that you should use a
forced-fail in the expansion when the lookup doesn't match.
One example for `cyrusless_crammd5` does not use a forced-fail, but should. We
should fix that.
The correct config is:
server_secret = ${lookup sqlite{/etc/exim/accounts.db SELECT password FROM
accounts WHERE email='${quote_sqlite:$1}';}{$value}fail}
The security issue is nothing to do with sqlite and everything to do with
Exim's string language and how easy it is to create unexpected configuration
when not considering how things can fail. We can't do anything about this
without severely incompatible changes to how Exim is configured.
--
You are receiving this mail because:
You are on the CC list for the bug.
