On Sat, 18 May 2024 at 18:20, Jeremy Harris via Exim-users
<exim-users@lists.exim.org> wrote:
> We don't know what your external program is going to do,
> even with respect to its arguments. So we cannot answer on safety.
>
> From 4.97 onwards, tainted args are allowed in ${run } commands.
> You didn't say what you are running.
I'm running Exim 4.97.
So it's not possible to run arbitrary shell commands by tainting a
variable with `rm -fr /` unless, in this instance,
spfquery.mail-spf-perl performed the operation itself as a result of
the argument?
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
