[exim] Re: Dovecot pidgeonhole transport untaint $sender

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Jeremy Harris
Data:  
Para: exim-users
Assunto: [exim] Re: Dovecot pidgeonhole transport untaint $sender
On 11/05/2023 09:31, Gary Stainburn via Exim-users wrote:
>   command = /usr/local/libexec/dovecot/dovecot-lda -f $sender_address


> How do I untaint $sender?


There's no principled way to do so (barring knowing all your possible
correspondents). And since you're using an external program, not part
of Exim, we can't know what security issues it might have with attacker-sourced
information.

Could you use LMTP to talk to Dovecot, rather than a command-line?
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/