Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Bill Cole
Date:  
À: Spencer Marshall via Exim-users
Sujet: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On 6 Jun 2019, at 8:25, Spencer Marshall via Exim-users wrote:

> why is this only being applied to +local_domains? why not everything?
>  deny    message       = Restricted characters in address
>                local_parts   = ^[.] : ^.*[\$@%!/|]



$, /, |, and % are all perfectly legal characters in a SMTP address
local-part without any sort of quoting.

@ and ! can appear inside a quoted-string part of an address local-part.

You can decree that all of your local domains must not contain those
characters but you can't extend that decree to other people's domains. I
work regularly with systems that have support for local-parts like
'mailbox/hierarchy/folder#username'

--
Bill Cole
bill@??? or billcole@???
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire