Yes, because you could escape out of the argument, think if local part contains like "something &&
echo /etc/passwd".
Then whats executed is:
|/home/exim/scripts/my_script something && echo /etc/password
Fetching in the argument via environment variable is safe (as long as you in the script doesn't use
it for something dangerous, but thats not exim's fault), since then you cannot use the variable to
escape out of the shell.
-----Ursprungligt meddelande-----
Från: Richard Gilbert via Exim-users <exim-users@???>
Skickat: den 1 juni 2021 12:53
Till: Exim users list <exim-users@???>
Ämne: [exim] Should the taint checks apply to arguments?
I understand why it is dangerous to use tainted data in constructing
filenames so I can no longer run a command containing the local_part,
e.g.
data = |/home/exim/scripts/$local_part
I see that it is also an error to use, e.g.
data = |/home/exim/scripts/my_script $local_part
In this case the script is fixed and the tainted data is being used as
an argument. Is that still dangerous? The script can pick up the
local_part from the LOCAL_PART environment variable.
Richard
--
Richard Gilbert
IT Services
University of Sheffield, Sheffield, S10 2FN, UK
Phone: +44 114 222 3028
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
