https://bugs.exim.org/show_bug.cgi?id=2118
Florian Weimer <fw@???> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw@???
--- Comment #6 from Florian Weimer <fw@???> ---
Maybe it would be possible to avoid accepting further command line arguments
after â-fâ, but that doesn't seem sufficiently backwards-compatible.
However, it's not clear what performs the token splitting of the â-fâ argument
here. There's clearly a very significant bug in there somewhere in the stack.
It's also rather strange that something would pass the âHost:â header contents
unchanged to a sendmail invocation, even if it were a valid domain.
On the other hand, Exim already supports the â--â option list terminator, so
PHP (or whatever calls the sendmail program) just needs to follow recommend
practices for constructing command lines:
https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-Tasks-Processes.html#idm225434989808
(Robust argument list processing)
--
You are receiving this mail because:
You are on the CC list for the bug.
