[exim] Re: Dovecot pidgeonhole transport untaint $sender

Συντάκτης: Jeremy Harris
Ημερομηνία:
Προς: exim-users
Αντικείμενο: [exim] Re: Dovecot pidgeonhole transport untaint $sender

On 11/05/2023 09:31, Gary Stainburn via Exim-users wrote:
> command = /usr/local/libexec/dovecot/dovecot-lda -f $sender_address

> How do I untaint $sender?

There's no principled way to do so (barring knowing all your possible
correspondents). And since you're using an external program, not part
of Exim, we can't know what security issues it might have with attacker-sourced
information.

Could you use LMTP to talk to Dovecot, rather than a command-line?
--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Αυτό το μήνυμα είναι μέρος του ακόλουθου νήματος:
	το πλήρες δέντρο νημάτων ταξινομημένο κατά ημερομηνία
	Gary Stainburn στο
	Evgeniy Berdnikov στο