[exim] Run expansion with a tainted variable

Top Page
Delete this message
Reply to this message
Author: Dominic Preston
Date:  
To: exim-users
Subject: [exim] Run expansion with a tainted variable
Hello,

I have a run expansion using a tainted variable:

condition = ${run{/usr/bin/spfquery.mail-spf-perl \
               --ip $sender_host_address \
               --scope mfrom \
               --identity $sender_address} \
               {no}{${if eq {$runrc}{1}{yes}{no}}}}


Is this usage of $sender_address safe? And if not, what would I do to
make it safe?

Thanks,
Dominic.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/