On Wed, Jan 27, 2016 at 10:54:50AM -0800, Louis Kowolowski wrote:
> I found an interesting email that got caught in my spam quarantine. I�m
> wondering if postfix is vulnerable to this kind of code execution (I�m
> aware that other components could be vulnerable, but this question is
> specifically targeting postfix).
Postfix does not inject message headers into the environment and
is not itself vulnerable to the shellshock Bash attack nor does
Postfix directly expose delivery programs to the attack.
The local(8) delivery agent does export some envelope data into
the environment of delivery scripts, but these are sanitised:
A limited amount of message context is exported via environment vari‐
ables. Characters that may have special meaning to the shell are
replaced by underscores. The list of acceptable characters is speci‐
fied with the command_expansion_filter configuration parameter.
See local(8) for details.
Users who write pipe(8) processing programs can of course eval the
message as a shell script if they are so determined, we can't stop
them from doing that.
--
Viktor.
