Re: [exim] Differences exim 4.93 and 4.94

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MEvgeniy Berdnikov at <-
MSysAdmin EM at ->
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: List: exim
Subject: Re: [exim] Differences exim 4.93 and 4.94
On 22 Aug 2021, at 19:49, Evgeniy Berdnikov via Exim-users <exim-users@???> wrote:
> No. These SQL queries are different: first has NO quotes around value in
> domain=.. predicate, but the second have ones. Debug output confirms it.
>
> Shell expands string like 'xxx'a.b.c'yyy' to 'xxxabcyyy'.
> You should do quoting carefully.

You should also use the quote_mysql expansion function to make sure you’re not exposing yourself to any SQL injection attacks.

SELECT domain FROM eximdomains WHERE active=1 AND domain=${quote_mysql:$domain}

Without this as a guard you are (a) depending on shell quote/variable expansion on debugging, and (b) potentially exposed to arbitrary code execution via SQL injection inside Exim itself.

Graeme
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Differences exim 4.93 and 4.94[exim] exim4 stopped sending mail after upgrade from Debian/Buster to Debian/Bullseye->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)