On Mon, 27 Oct 2025, Marc MERLIN via Exim-users wrote:
TL;DR:
I understand sending dangerous shell or SQL quote commands to pipes is
bad, but what was so hard about a de-taint(foo) that applies
[A-Za-z0-9+-] or something close to it?
Sadly, whilst that would be sufficient in most cases, it is more
complicated than that.
RFC 5321 says:
The syntax of the local part of a mailbox MUST conform to
receiver site conventions and the syntax specified in Section 4.1.2.
https://www.rfc-editor.org/rfc/rfc5321.html#section-4.1.2
That section is 77 lines (excluding blanks) long.
"/" as escape and source routed addresses (including bang paths) are
allowed.
de-taint() would have to work for any input, unless you were happy with
just a de-taint-address() function.
Hasn't this been solved multiple times in other internet facing software?
Safely ?
(and obviously you can call an external command safely without shell quoting
issues)
execv and friends are safe but you are passing unknown data to an
external program ...
I do agree that tainting was released without documentation that
enabled the average user to successfully upgrade their config,
but at that time Exim was deployed by many users who could not afford
the time and expertise needed to run a mail service safely.
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
