On Wed, Dec 22, 2021 at 08:16:57PM +0100, Michael Haardt via Exim-users wrote: > > Also, though rarely used, it's not impossible for the > > source of a string getting expanded to come from a > > runtime-variable place. Exim is that flexible. > > Is there a real use case for that? It sounds dangerous to me.
What's dangerous and why? Think a bit. Lot of examples may be found in one minute. For example, you have to check user's quota, which is stored in some database. You have to extract current maibox size, quota limit, then add message size to box size and compare with limit. It's natural to use runtime variables, isn't it? If you have to check sender's address against recipient's whitelist, you have to extract this whitelist, break down to separate items, and run a loop over each. And if you have external control system, Exim should communicate with it, reading external data and writing some data back. Exim has many functions for such communication. > I did not mean to imply taint checking was not needed, but the opposite: > Saying "it's documented you should quote things" does not work. If it does not work for you, then some day you would get a hit to read documentation carefully. :) > Fine with me, except I would have liked if it had been called Exim 5, Many people think so, and I too. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/