https://bugs.exim.org/show_bug.cgi?id=2171
--- Comment #8 from Heiko Schlittermann <hs@???> ---
(In reply to Heiko Schlittermann from comment #7)
> Created attachment 1043 [details]
> quick fix
>
> Try applying the attached quick fix. With this fix, Exim should issue a
> proper failure message in your reproducer.
${addresses:$h_from:} is really asking for trouble if $h_from: starts with '>'
as in From: >,"Hans" <hans@???>, <foo@???>
This changes the output from (the expected) hans@???:foo@???
to the (correct) hans@???,foo@???
While this is correct and according to the spec and may be the wanted behaviour
as in
${addresses:$acl_foo$h_from:}
(even I do not have a use case), we should consider
(a) accepting the output separator setting (>[sep]) only from literal
strings, not from expansion
OR
(b) encourage the use of an explicitly given output separator as in
${addresses:>:$h_from:}
if we do not control the value of the expanded argument
OR
(c) provide some kind of (to be specified) sanitization
But:
(a) is an incompatible change and requires much more effort than (b)
(c) isn't specified enough (and I'm not sure if there can be a general
specification about what is ${quote_exim:â¦} like
It seems that we should update the doc about the potential danger and we
should strongly recommend using ${addresses:>:$h_from:}
--
Heiko
--
You are receiving this mail because:
You are on the CC list for the bug.
