On Jan 27, 2016, at 11:24 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Wed, Jan 27, 2016 at 10:54:50AM -0800, Louis Kowolowski wrote: > >> I found an interesting email that got caught in my spam quarantine. I�m >> wondering if postfix is vulnerable to this kind of code execution (I�m >> aware that other components could be vulnerable, but this question is >> specifically targeting postfix). > > Postfix does not inject message headers into the environment and > is not itself vulnerable to the shellshock Bash attack nor does > Postfix directly expose delivery programs to the attack. > > The local(8) delivery agent does export some envelope data into > the environment of delivery scripts, but these are sanitised: > > A limited amount of message context is exported via environment vari‐ > ables. Characters that may have special meaning to the shell are > replaced by underscores. The list of acceptable characters is speci‐ > fied with the command_expansion_filter configuration parameter. > > See local(8) for details. > > Users who write pipe(8) processing programs can of course eval the > message as a shell script if they are so determined, we can't stop > them from doing that. > Perfect. That’s what I was hoping for.
Thanks Viktor! -- Louis Kowolowski lou...@cryptomonkeys.org <mailto:lou...@cryptomonkeys.org> Cryptomonkeys: http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/> Making life more interesting for people since 1977
signature.asc
Description: Message signed with OpenPGP using GPGMail
