On 11/05/2023 09:31, Gary Stainburn via Exim-users wrote:
> command = /usr/local/libexec/dovecot/dovecot-lda -f $sender_address
> How do I untaint $sender?
There's no principled way to do so (barring knowing all your possible
correspondents). And since you're using an external program, not part
of Exim, we can't know what security issues it might have with attacker-sourced
information.
Could you use LMTP to talk to Dovecot, rather than a command-line?
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
