Re: [exim] exim-4.96rc0 Tainted arg

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Kirill Miazine
Date:  
À: exim-users
Sujet: Re: [exim] exim-4.96rc0 Tainted arg
• Odhiambo Washington via Exim-users [2022-05-03 15:22]:
[...]
> Sanity check!
>
> In my router, I have the following query:
>
> address_data      = ${lookup mysql{ \
>                       select smtp, username, users.sa_tag*10 AS sa_tag,
> users.on_spamassassin AS on_spamassassin, \
>                       domains.spamassassin AS spamassassin, \
>                       users.uid AS uid, users.gid AS gid, users.quota AS
> quota from users,domains \
>                       where localpart = '${quote_mysql:$local_part}' \
>                       and domain = '${quote_mysql:$domain}' \
>                       and domains.enabled = '1' \
>                       and users.enabled = '1' \
>                       and users.domain_id = domains.domain_id}{$value}fail}

>
> And I have modified my transport to:
>
> dovecot_virtual_delivery:
> driver = pipe
> return_output
> command = /usr/local/libexec/dovecot/deliver -d
> ${extract{username}{$address_data}}
> message_suffix =
> delivery_date_add
> envelope_to_add
> return_path_add
> log_output
> user = mailnull
> temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
>
> And deliveries seem to be working without any errors,
>
> Question is whether I am creating a security loophole by doing the above.


Looks like you're doing it exactly the way it was intended.