I have been adding text to the mongodb_table that any text pasted in the place of a %letter directive in result_format will be subject to escaping, that is, Postfix inserts a backslash character before a double quote or backslash character.
This ensures that the result will have the same structure as result_format: each string in the result_format is still exactly one string in the result, and each special character {}[], etc. is still exactly one in the result. An attacker cannot 'control' how the result will be processed. What about projections? Given projection = { "_id":0, "mail_path": {"$concat": ["$domain", "/", "$local_part"]} } what if $domains contains foo"]}, nasty stuff... If an attacker can change the shape of the projection, then that would be a problem. Wietse _______________________________________________ Postfix-devel mailing list -- postfix-devel@postfix.org To unsubscribe send an email to postfix-devel-le...@postfix.org