On Wed, 11 Nov 2020, Sebastian Nielsen via Exim-users wrote:
Yes, but its a positive match only - meaning you have to explicitly
specify allowed characters.The function should NOT be able to
specify forbidden characters - as then it would ve easy to miss bad
characters.If an sysadmin then writes a filter which is too broad -
its his own fault.
Even that has pitfalls once you add non-ascii characters.
I mean - I have a Email-to-sms gateway which pipes
data to a system script.<number>@sebbe.eu is interpreted as outgoing
SMS.With the current structure, you need to add every number you
want to SMS as whitelist - as you need to do a successful lookup to
untaint.Its much better to be able to specify that localpart can
only contain numbers to be permitted to be piped to the script - no
security risk as nobody can escape out of a shell command with only
0-9 to their disposal.
I wonder whether a specific "telephone number" option would make sense ?
Do we allow the international code "+", or the pause (which can be
used in fax numbers)
https://www.dummies.com/consumer-electronics/smartphones/droid/how-to-add-pauses-when-dialing-a-number-on-your-android-phone/ ?
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
