On 17/05/2024 17:45, Dominic Preston via Exim-users wrote:
> I have a run expansion using a tainted variable:
>
> condition = ${run{/usr/bin/spfquery.mail-spf-perl \
> --ip $sender_host_address \
> --scope mfrom \
> --identity $sender_address} \
> {no}{${if eq {$runrc}{1}{yes}{no}}}}
>
> Is this usage of $sender_address safe? And if not, what would I do to
> make it safe?
We don't know what your external program is going to do,
even with respect to its arguments. So we cannot answer on safety.
From 4.97 onwards, tainted args are allowed in ${run } commands.
You didn't say what you are running.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
