[exim] Re: Run expansion with a tainted variable

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jeremy Harris
Dátum:  
Címzett: exim-users
Tárgy: [exim] Re: Run expansion with a tainted variable
On 17/05/2024 17:45, Dominic Preston via Exim-users wrote:
> I have a run expansion using a tainted variable:
>
> condition = ${run{/usr/bin/spfquery.mail-spf-perl \
>                 --ip $sender_host_address \
>                 --scope mfrom \
>                 --identity $sender_address} \
>                 {no}{${if eq {$runrc}{1}{yes}{no}}}}

>
> Is this usage of $sender_address safe? And if not, what would I do to
> make it safe?


We don't know what your external program is going to do,
even with respect to its arguments. So we cannot answer on safety.

From 4.97 onwards, tainted args are allowed in ${run } commands.
You didn't say what you are running.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/