Re: [exim] CVE-2019-10149: already vulnerable ?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M+\Jeremy Harris at <-
MMMNiels Dettenbach at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] CVE-2019-10149: already vulnerable ?
On 24/06/2019 18:55, Ian Zimmerman via Exim-users wrote:
> RCPT TO:<it\z@???>
>
> the local part being tested, according to the >>> output, is just "itz",
> which of course ends up being accepted.
>
> I think this is a bug, do you agree?

This turns out to be deliberate, with the following code comment:

/* The implication in the RFCs (though I can't say I've seen it spelled out
explicitly) is that quoting should be removed from local parts at the point
where they are locally interpreted. [The new draft "821" is more explicit on
this, Jan 1999.] We know the syntax is valid, so this can be done by simply
removing quoting backslashes and any unquoted doublequotes. */

( function "deliver_split_address" )

So, to get a backslash into a local-part you have to double it in the SMTP
RCPT line:

RCPT TO:<it\\z@???>

--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] ATTN: Re: CVE-2019-10149: already vulnerable ?Re: [exim] CVE-2019-10149: already vulnerable ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)