• Jeremy Harris via Exim-users [2022-06-29 11:21]: > On 28/06/2022 12:22, Markus Reschke via Exim-users wrote: > > IIRC, the 'recommended' way to solve issues with tainted variables is to > > perform a database lookup. > > Actually, that is better phrased as "The requirement is to not use values > provided > by potential attackers in sensitive situations" - and the common means of > not doing so is to obtain values from a trusted place, using (if needed) those > untrusted values as search keys. > > Assuming there really is no way for you to use a pure SMTP environment > (i.e. dump UUCP), or somehow avoid using a pipe transport (I can't think > of a way offhand), any method here is going to be somewhat hacky. The > least-worst is probably to wrap your uux invocation in another program > (shell script, perl script, custom binary) which picks up the environment > variable $RECIPIENT.
And here's an example of how such a wrapper could be done: https://dovecot.org/pipermail/dovecot/2022-April/124589.html It's CRITICAL that all arguments in the wrapper script are quoted! > -- > Cheers, > Jeremy > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- -- Kirill Miazine <k...@krot.org> -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/