Re: [exim] Sieve filters broken due to tainted expansions?

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: Tobias Klausmann
CC: exim-users
Subject: Re: [exim] Sieve filters broken due to tainted expansions?
On Wed, 8 Jan 2020, Tobias Klausmann via Exim-users wrote:

> Hi!
>
> On Wed, 08 Jan 2020, Andrew C Aitchison wrote:
>> On Wed, 8 Jan 2020, Tobias Klausmann via Exim-users wrote:
>>>     user=$local_part
>>>     verify=false
>>>     transport = local_delivery

>>
>> If you have check_local_user you shouldn't need user=$local_part as well.
>
> Ah, good point, thanks.
>>
>>> And this seems to work. I'll test it for a bit and report back.
>>>
>>> Is the use of $local_part in the transports seen as safe, or
>>> should I cange those to use $home as well?
>>
>> On principle I would say change them too.
>> If $home and /home/$local_part are different directories which do you want ?
>> The one from the password file/database or the one derived from the
>> potential hacker's input ?
>> If /home fills up and you put a new user on a different
>> disk/partition/volume $home will still work, but /home/$local_part
>> would need attention ...
>
> Yeah, you're right. I presume I need no extra steps for $home
> being defined in the context of the transports?


Not sure.
spec.txt has a transport "procmail_pipe:" which has
     user = $local_part
and configure.default does not have check_local_user on any transports.
Best wait for a reply from those who know more than me.


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???