On 3/18/25 9:10 PM, Yves Goergen via Exim-users wrote:
I'm upgrading Exim from 4.93 to 4.97 soon and read an entry in the upgrading documentation [1]. It says I cannot use $local_part in transports anymore and should consider $local_part_data.
Read the docs at https://exim.org/exim-html-4.97/doc/html/spec_html/index.html using the concept index entries for "taint".
Also, I don't understand what the problem is there and why it needed to be changed.
Using data possibly provided by an attacker, except in very constrained ways, is unwise. Look back in history for the Log4j mess. Tracking such data is done using "taint" in Exim. Using tainted data as a key for a lookup is permitted, and the canonical means for getting untainted data. $local_part_data is one of those lookup results - but you need to ensure the relevant lookup is done. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
