[exim-dev] [Bug 3063] "SMTP Smuggling" attack

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Bugzilla
Datum:  
To: exim-dev
Alte Treads: [exim-dev] [Bug 3063] New: Partially vulnerable to "SMTP Smuggling" if pipelining is enabled
Betreff: [exim-dev] [Bug 3063] "SMTP Smuggling" attack
https://bugs.exim.org/show_bug.cgi?id=3063

--- Comment #15 from Ian <nobrowser@???> ---
(In reply to Jeremy Harris from comment #12)
> (In reply to Ian from comment #10)
> > (In reply to Jeremy Harris from comment #6)
> > > Security release 4.97.1 includes the relevant changes.
> >
> > Do any of these changes affect the octets which a transport filter sees? I
> > have some suspect occurrences after upgrading (but not pointing a finger
> > yet).
>
> Not directly, but if Exim is sending messages that it has previously
> received, the changes that are in the receive path would affect those
> messages - so if you are using a transport filter...
>
> (In reply to Ian from comment #10)
> > Can we have a configuration knob to disable it?
>
> > I am up for coding it.
>
> It doesn't seem technically infeasible. I trust you have read around the
> relevant comments in the code regarding the support, and are willing to
> keep both pieces when it breaks - and include testcases for the testsuite,
> and maintain the new code for the forseeable future.
>
> Please open a separate wishlist item for tracking this.


Reading the code in receive.c, I'm having some ... second thoughts :-P

But maybe, and yes I understand that testcases are required.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/