On Tue, Jun 01, 2021 at 12:56:04PM +0200, Sebastian via Exim-users wrote:
> Fetching in the argument via environment variable is safe (as long as you in
> the script doesn't use
> it for something dangerous, but that▓s not exim's fault), since then you
> cannot use the variable to
> escape out of
long as you in
the script doesn't use
it for something dangerous, but thats not exim's fault), since then you cannot
use the variable to
escape out of the shell.
-Ursprungligt meddelande-
Från: Richard Gilbert via Exim-users
Skickat: den 1 juni 2021 12:53
Till: Exim users list
I understand why it is dangerous to use tainted data in constructing
filenames so I can no longer run a command containing the local_part,
e.g.
data = |/home/exim/scripts/$local_part
I see that it is also an error to use, e.g.
data = |/home/exim/scripts/my_script $local_part
In this case the sc