On 12/06/2024 11:33, Thew, Alan via Exim-users wrote:
> listserv_pipe:
> driver = pipe
> command = /XXXXX/bin/lsv_amin -t $local_part
[
> driver = accept
> condition = ${if match{$local_part}{-dmarc-}{yes}{no}}
> retry_use_local_part
> transport = listserv_pipe
> no_verify
]
Read up on taint in the docs. The common place for a detaining
operation is in a router, by extracting from trusted data (ie.
held locally on the system) using the tainted data as a search key.
Usually this is done in a way that (for a local-part) populates
a variable "$local_part_data".
The verification you are doing - a regex match - is technically insufficient
because Exim cannot reason deeply about REs. It's also not good enough on
a wider view, as is doesn't refuse content within the (possibly attacker-supplied)
local-part which is potentially damaging. Think in terms of shell metacharacters,
and Exim's own expansions syntax - and never forget the lessors of the log4j debacle.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
