[exim] Re: Run expansion with a tainted variable

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Jeremy Harris
Fecha:  
A: exim-users
Asunto: [exim] Re: Run expansion with a tainted variable
On 17/05/2024 17:45, Dominic Preston via Exim-users wrote:
> I have a run expansion using a tainted variable:
>
> condition = ${run{/usr/bin/spfquery.mail-spf-perl \
>                 --ip $sender_host_address \
>                 --scope mfrom \
>                 --identity $sender_address} \
>                 {no}{${if eq {$runrc}{1}{yes}{no}}}}

>
> Is this usage of $sender_address safe? And if not, what would I do to
> make it safe?


We don't know what your external program is going to do,
even with respect to its arguments. So we cannot answer on safety.

From 4.97 onwards, tainted args are allowed in ${run } commands.
You didn't say what you are running.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/