I have been adding text to the mongodb_table that any text pasted
in the place of a %letter directive in result_format will be subject
to escaping, that is, Postfix inserts a backslash character before
a double quote or backslash character.
This ensures that the result will have the same structure as
result_format: each string in the result_format is still exactly
one string in the result, and each special character {}[], etc. is
still exactly one in the result. An attacker cannot 'control' how
the result will be processed.
What about projections? Given
projection = { "_id":0, "mail_path": {"$concat": ["$domain", "/",
"$local_part"]} }
what if $domains contains
foo"]}, nasty stuff...
If an attacker can change the shape of the projection, then that
would be a problem.
Wietse
_______________________________________________
Postfix-devel mailing list -- postfix-devel@postfix.org
To unsubscribe send an email to postfix-devel-le...@postfix.org
