著者: Jeremy Harris 日付: To: exim-users 題目: Re: [exim] CVE-2019-10149: already vulnerable ?
On 24/06/2019 18:55, Ian Zimmerman via Exim-users wrote: > RCPT TO:<it\z@???>
>
> the local part being tested, according to the >>> output, is just "itz",
> which of course ends up being accepted.
>
> I think this is a bug, do you agree?
This turns out to be deliberate, with the following code comment:
/* The implication in the RFCs (though I can't say I've seen it spelled out
explicitly) is that quoting should be removed from local parts at the point
where they are locally interpreted. [The new draft "821" is more explicit on
this, Jan 1999.] We know the syntax is valid, so this can be done by simply
removing quoting backslashes and any unquoted doublequotes. */
( function "deliver_split_address" )
So, to get a backslash into a local-part you have to double it in the SMTP
RCPT line: