Gitweb:
https://git.exim.org/exim.git/commitdiff/cf8b2c5789b6b6cfc2bb0dd84753ed7ec746d444
Commit: cf8b2c5789b6b6cfc2bb0dd84753ed7ec746d444
Parent: f5bf7636988febc332349f2a1deb2a4329ff3243
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Jan 8 13:51:42 2020 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed Jan 8 13:57:38 2020 +0000
Docs: warn against using $local_part directly in delivery
---
doc/doc-docbook/spec.xfpt | 23 ++++++++++++++++++++++-
src/src/configure.default | 2 +-
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4d02bdc..8b15227 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -6362,7 +6362,7 @@ All other options are defaulted.
.code
local_delivery:
driver = appendfile
- file = /var/mail/$local_part
+ file = /var/mail/$home
delivery_date_add
envelope_to_add
return_path_add
@@ -12385,6 +12385,18 @@ Global address rewriting happens when a message is received, so the value of
because a message may have many recipients and the system filter is called just
once.
+.new
+&*Warning*&: the content of this variable is provided by a potential attacker.
+Consider carefully the implications of using it unvalidated as a name
+for file access.
+This presents issues for users' &_.forward_& and filter files.
+For traditional full user accounts, use &%check_local_users%& and the &$home$&
+variable rather than this one.
+For virtual users, store a suitable pathname component in the database
+which is used for account name validation, and use that retrieved value
+rather than this variable.
+.wen
+
.vindex "&$local_part_prefix$&"
.vindex "&$local_part_suffix$&"
.cindex affix variables
@@ -20528,6 +20540,15 @@ is not the case when the file contains syntactically valid items that happen to
yield empty addresses, for example, items containing only RFC 2822 address
comments.
+.new
+&*Warning*&: It is unwise to use &$local_part$& or &$domain$&
+directly for redirection,
+as they are provided by a potential attacker.
+In the examples above, &$local_part$& is used for looking up data held locally
+on the system, and not used directly (the second example derives &$home$& via
+the passsword file or database, using &$local_part$&).
+.wen
+
.section "Forward files and address verification" "SECID125"
diff --git a/src/src/configure.default b/src/src/configure.default
index cf38305..08f5a9d 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -863,7 +863,7 @@ smarthost_smtp:
local_delivery:
driver = appendfile
- file = /var/mail/$local_part
+ file = /var/mail/$home
delivery_date_add
envelope_to_add
return_path_add
