Bug#697057: Arbitrary arguments can be passed to spfquery, bypassing SPF validation
Lekensteyn
lekensteyn at gmail.com
Tue Jan 1 20:56:04 UTC 2013
tags 697057 patch
Hi,
On Tuesday 01 January 2013 14:54:12 Andreas Metzler wrote:
> thanks for the bug-report. I think there is a typo in example 2,
> <" --help "ish at example.com> is not a valid address (afaik one may only
> quote the whole local_part). - Exim rejects the address.
Apologies, I copied the wrong line. The correct one (which could be determined
from the results) is actually:
MAIL FROM: "x --help "@example.com
On Tuesday 01 January 2013 15:23:55 Andreas Metzler wrote:
> Doesn't ${quote: ...} help here? - A quick test with the attached
> patch sems to suggest it does. - Could you verify this?
I can confirm that the attached patch solves the issue.
Before the patch:
--ip:192.168.2.2:--identity:--scope:mfrom:--identity::x:--help:@example.com
After the patch:
--ip:192.168.2.2:--identity:--scope:mfrom:--identity:"x --help "@example.com
For a defence in depth approach, I would also use ${quote:...} for the
$sender_host_address line above.
Thank you for your fast reply and solution, it's appreciated. Happy New Year,
it is a good begin :-)
Regards,
Peter
More information about the Pkg-exim4-maintainers
mailing list