Re: [exim] exim-4.96rc0 Tainted arg

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Odhiambo Washington
Datum:  
To: Kirill Miazine, exim users
Betreff: Re: [exim] exim-4.96rc0 Tainted arg
On Tue, May 3, 2022 at 3:44 PM Kirill Miazine via Exim-users <
exim-users@???> wrote:

> • Odhiambo Washington via Exim-users [2022-05-03 15:22]:
> [...]
> > Sanity check!
> >
> > In my router, I have the following query:
> >
> > address_data      = ${lookup mysql{ \
> >                       select smtp, username, users.sa_tag*10 AS sa_tag,
> > users.on_spamassassin AS on_spamassassin, \
> >                       domains.spamassassin AS spamassassin, \
> >                       users.uid AS uid, users.gid AS gid, users.quota AS
> > quota from users,domains \
> >                       where localpart = '${quote_mysql:$local_part}' \
> >                       and domain = '${quote_mysql:$domain}' \
> >                       and domains.enabled = '1' \
> >                       and users.enabled = '1' \
> >                       and users.domain_id =
> domains.domain_id}{$value}fail}

> >
> > And I have modified my transport to:
> >
> > dovecot_virtual_delivery:
> > driver = pipe
> > return_output
> > command = /usr/local/libexec/dovecot/deliver -d
> > ${extract{username}{$address_data}}
> > message_suffix =
> > delivery_date_add
> > envelope_to_add
> > return_path_add
> > log_output
> > user = mailnull
> > temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
> >
> > And deliveries seem to be working without any errors,
> >
> > Question is whether I am creating a security loophole by doing the above.
>
> Looks like you're doing it exactly the way it was intended.
>



:)

Thank you for confirming.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)