On 12/06/2024 11:33, Thew, Alan via Exim-users wrote:
listserv_pipe:
driver = pipe
command = /XXXXX/bin/lsv_amin -t $local_part
[
driver = accept
condition = ${if match{$local_part}{-dmarc-}{yes}{no}}
retry_use_local_part
transport = listserv_pipe
no_verify
]
Read up on taint in the docs. The common place for a detaining
operation is in a router, by extracting from trusted data (ie.
held locally on the system) using the tainted data as a search key.
Usually this is done in a way that (for a local-part) populates
a variable "$local_part_data".
The verification you are doing - a regex match - is technically insufficient
because Exim cannot reason deeply about REs. It's also not good enough on
a wider view, as is doesn't refuse content within the (possibly
attacker-supplied)
local-part which is potentially damaging. Think in terms of shell
metacharacters,
and Exim's own expansions syntax - and never forget the lessors of the log4j
debacle.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
