Re: [exim] Differences exim 4.93 and 4.94

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Graeme Fowler
Datum:  
To: List: exim
Betreff: Re: [exim] Differences exim 4.93 and 4.94
On 22 Aug 2021, at 19:49, Evgeniy Berdnikov via Exim-users <exim-users@???> wrote:
> No. These SQL queries are different: first has NO quotes around value in
> domain=.. predicate, but the second have ones. Debug output confirms it.
>
> Shell expands string like 'xxx'a.b.c'yyy' to 'xxxabcyyy'.
> You should do quoting carefully.


You should also use the quote_mysql expansion function to make sure you’re not exposing yourself to any SQL injection attacks.

SELECT domain FROM eximdomains WHERE active=1 AND domain=${quote_mysql:$domain}

Without this as a guard you are (a) depending on shell quote/variable expansion on debugging, and (b) potentially exposed to arbitrary code execution via SQL injection inside Exim itself.

Graeme