projects / exim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: f5bf763)
Docs: warn against using $local_part directly in delivery
authorJeremy Harris <jgh146exb@wizmail.org>
Wed, 8 Jan 2020 13:51:42 +0000 (13:51 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Wed, 8 Jan 2020 13:57:38 +0000 (13:57 +0000)
doc/doc-docbook/spec.xfpt patch | blob | blame | history
src/src/configure.default patch | blob | blame | history

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4d02bdc32e8c339ae29431a5fabfd913fa8a34ac..8b15227950c8f9c710b7ddfdfa629d4b15b99064 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -6362,7 +6362,7 @@ All other options are defaulted.
 .code
 local_delivery:
   driver = appendfile
 .code
 local_delivery:
   driver = appendfile
-  file = /var/mail/$local_part
+  file = /var/mail/$home
   delivery_date_add
   envelope_to_add
   return_path_add
   delivery_date_add
   envelope_to_add
   return_path_add
@@ -12385,6 +12385,18 @@ Global address rewriting happens when a message is received, so the value of
 because a message may have many recipients and the system filter is called just
 once.
 
 because a message may have many recipients and the system filter is called just
 once.
 
+.new
+&*Warning*&: the content of this variable is provided by a potential attacker.
+Consider carefully the implications of using it unvalidated as a name
+for file access.
+This presents issues for users' &_.forward_& and filter files.
+For traditional full user accounts, use &%check_local_users%& and the &$home$&
+variable rather than this one.
+For virtual users, store a suitable pathname component in the database
+which is used for account name validation, and use that retrieved value
+rather than this variable.
+.wen
+
 .vindex "&$local_part_prefix$&"
 .vindex "&$local_part_suffix$&"
 .cindex affix variables
 .vindex "&$local_part_prefix$&"
 .vindex "&$local_part_suffix$&"
 .cindex affix variables
@@ -20528,6 +20540,15 @@ is not the case when the file contains syntactically valid items that happen to
 yield empty addresses, for example, items containing only RFC 2822 address
 comments.
 
 yield empty addresses, for example, items containing only RFC 2822 address
 comments.
 
+.new
+&*Warning*&: It is unwise to use &$local_part$& or &$domain$&
+directly for redirection,
+as they are provided by a potential attacker.
+In the examples above, &$local_part$& is used for looking up data held locally
+on the system, and not used directly (the second example derives &$home$& via
+the passsword file or database, using &$local_part$&).
+.wen
+
 
 
 .section "Forward files and address verification" "SECID125"
 
 
 .section "Forward files and address verification" "SECID125"
diff --git a/src/src/configure.default b/src/src/configure.default
index cf38305e57c1966329e71999830ec76983b13ecf..08f5a9d10962a4e3bb8cecf490c6c3bf15b498b8 100644 (file)
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -863,7 +863,7 @@ smarthost_smtp:
 
 local_delivery:
   driver = appendfile
 
 local_delivery:
   driver = appendfile
-  file = /var/mail/$local_part
+  file = /var/mail/$home
   delivery_date_add
   envelope_to_add
   return_path_add
   delivery_date_add
   envelope_to_add
   return_path_add
Unnamed repository; edit this file 'description' to name the repository.