Re: [exim] ATTN: Re: CVE-2019-10149: already vulnerable ?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] ATTN: Re: CVE-2019-10149: already vulnerable ?
On 24/06/2019 17:07, Ian Zimmerman via Exim-users wrote:
> I just want to prohibit any backslashes in local parts. I know this is
> totally safe to do im my case. So what it the appropriate number of
> backslashes to put in the regexp? Will this work:
>
> deny message = Restricted characters in address
> domains = +local_domains
> local_parts = ^[.] : ^.*[\$@%!/\\|]


I suggest quoting the entire list with \N for sanity.
Having done that I think you need a double backslash. I did when I
tested it. I suggest you test it yourself, using -bh.

As you have it, without \N-quoting, I think you don't have enough
backslashes.

--
Cheers,
Jeremy