Author: Warwick Brown Date: To: Jeremy Harris, exim-dev@exim.org Subject: Re: [exim-dev] Interesting behaviour
> -----Original Message----- > From: Jeremy Harris [mailto:jgh@wizmail.org]
> Sent: 21 October 2015 18:25
> To: Warwick Brown; exim-dev@???
> Subject: Re: [exim-dev] Interesting behaviour
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 21/10/15 16:44, Warwick Brown wrote:
> > Pen-testers still test to see if legacy routed addresses are supported due to
> the dross of legacy still out there.
> > I agree with your reasoning as to routed addresses being obsolete, and
> that is why I still use the restricted characters ACL to ensure they are not
> accepted.
> > But, the issue I see is that the invalid input is silently discarded with no
> notice of when or why.
> > The ":" character is in my restricted characters ACL, however in the special-
> case where the user-part is null, the restricted characters ACL does not seem
> to kick in.
> > I am satisfied that exim fails safe, but still think it's worth a look-in to why it
> silently discards parts of its input data - if this is by design, then fine, but if it is
> an unintended consequence, then it is to me a little more concerning.
>
> The following comment is in the source code
> [ block comment for parse_extract_address() ] :-
>
> Exim no longer supports the use of source routed addresses (those of the
> form
> @domain,...:route_addr). It recognizes the syntax, but collapses such
> addresses
> down to their final components. Formerly, collapse_source_routes had to
> be set
> to achieve this effect. RFC 1123 allows collapsing with MAY, while the
> revision
> of RFC 821 had increased this to SHOULD, so I've gone for it, because it
> makes
> a lot of code elsewhere in Exim much simpler.
>
> I've not looked at the actual coding, but that seems to match what you
> observe
> and I read it as being fully intended.
>
> The comment dates back at least as far as 2004, the start of the git history.
> - --
> Cheers,
> Jeremy
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJWJ8puAAoJELzljIzkHzLf2SgIAJZSCrBqpfxJqgHZPu/S/3Di
> 3EmYN9WiJXnri00j9p8UPGFCmtB94aFhFz83IBkP12RKwomir2rngpiqc6wv7gv3
> Z2lwcaUs4rX/6q4uxLGdJGFHZP/u8dQAWCaNTSlS6btADWwviQWu9am6sTZB
> qtVN
> k2obDtIpz+z51czp4B2is1z3unVDsrj0/ajdLrD6balCE2xgbXgvix2DtJelfM8r
> hCvbvd4ScslGzXz28qD/a8bMa/JWJN3/ykYeOnYjjQlrXBouw5m5uG0IHKk8a1R
> z
> py3zofeBlTUBGv2yxqGglADlpogPIwU4+bR5blbZF2dymvhTvaXJlHaMMbq6AR
> 4=
> =QuGJ
> -----END PGP SIGNATURE-----
>
> __________________________________________________________
> ____________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com > __________________________________________________________
> ____________
Thanks Jeremy,
In light of that, I will take it as intentional behaviour.
