On 2022-09-28, Lena--- via Exim-users <exim-users@exim.org> wrote:
>> From: Eric Grammatico
>
>> In fact I tried to implement the wiki:
>> https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPwauth
>
> I edited that wiki: changed
>
> server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' |
> /usr/local/bin/pwauth"}{1}{0}}
>
> to
>
> server_condition = ${and {\
> {!match{$auth2$auth3}{[\x27\r\n]}}\
> {bool{${run{/bin/bash -c "echo -e '$auth2\n$auth3' |
> /usr/local/bin/pwauth"}{1}{0}}}}\
> }}
Does that still work in recent versions?
The documentation for ${run gives conflicting guidance on tainted values.
"Note: if tainted arguments are used, they are supplied by a potential
attacker; a careful assessment for security vulnerabilities should be
done. "
and
"Neither the command nor any argument may be tainted."
It would be nice to have a ${readpipe expansion somewhat analogous to
${readsocket but connects to a pipe process instead of a socket.
parhaps put the return code in $0
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
