Re: [exim] exim-4.96rc0 Tainted arg

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] exim-4.96rc0 Tainted arg
On 01/05/2022 09:55, Odhiambo Washington via Exim-users wrote:
> dovecot_virtual_delivery:
>    driver = pipe
>    return_output
>    command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain -f
> $sender_address
>    message_prefix =


> How do I need to de-taint the arg 2?


The same way as you de-taint local_part and domain for other uses,
as has been discussed here many time and is documented.

There are multiple ways and which one is best depends on your situation.


Once you've done that, you'll run into arg 4 also being tainted;
drop the "-f $sender_address" from the command line and remove
the
    message_prefix =
option setting.  The default for message_prefix is an mbox "From "
line, and Dovecot should take the sender from that.


(I am assuming that "dovecot/deliver" is the same as the "dovecot/dovecot_lda"
documented by the dovecot project).

--
Cheers,
Jeremy

Refs:
- http://exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html
- https://doc.dovecot.org/configuration_manual/protocols/lda/
- https://www.rfc-editor.org/rfc/rfc4155.txt