[exim] Re: Dovecot pidgeonhole transport untaint $sender

Pàgina inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
A: exim-users
Assumpte: [exim] Re: Dovecot pidgeonhole transport untaint $sender
On 11/05/2023 09:31, Gary Stainburn via Exim-users wrote:
>   command = /usr/local/libexec/dovecot/dovecot-lda -f $sender_address


> How do I untaint $sender?


There's no principled way to do so (barring knowing all your possible
correspondents). And since you're using an external program, not part
of Exim, we can't know what security issues it might have with attacker-sourced
information.

Could you use LMTP to talk to Dovecot, rather than a command-line?
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/