Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Bill Cole
Dátum:  
Címzett: Spencer Marshall via Exim-users
Tárgy: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On 6 Jun 2019, at 8:25, Spencer Marshall via Exim-users wrote:

> why is this only being applied to +local_domains? why not everything?
>  deny    message       = Restricted characters in address
>                local_parts   = ^[.] : ^.*[\$@%!/|]



$, /, |, and % are all perfectly legal characters in a SMTP address
local-part without any sort of quoting.

@ and ! can appear inside a quoted-string part of an address local-part.

You can decree that all of your local domains must not contain those
characters but you can't extend that decree to other people's domains. I
work regularly with systems that have support for local-parts like
'mailbox/hierarchy/folder#username'

--
Bill Cole
bill@??? or billcole@???
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire