On Sat, 18 May 2024 at 18:20, Jeremy Harris via Exim-users <exim-users@lists.exim.org> wrote: > We don't know what your external program is going to do, > even with respect to its arguments. So we cannot answer on safety. > > From 4.97 onwards, tainted args are allowed in ${run } commands. > You didn't say what you are running.
I'm running Exim 4.97. So it's not possible to run arbitrary shell commands by tainting a variable with `rm -fr /` unless, in this instance, spfquery.mail-spf-perl performed the operation itself as a result of the argument? -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/