On 2012-12-31 Lekensteyn <[email protected]> wrote:
> Package: exim4-config
> Version: 4.72-6+squeeze3
> Tags: security
> In setting up exim4 I have been considering to enable SPF validation. To do
> so, I had to install the following packages:
> - exim4-daemon-light (default)
> - spf-tools-perl
[...]
> Conclusion:
> Random arguments can be passed to the spfquery command as shown above. Or,
> putting it differently, SPF validation can be bypassed in exim using a
> specially crafted MAIL FROM value. Possible solutions include:
> - Validate the sender, ensuring that quote characters cannot occur as this
> breaks the ${run} configuration. One has to check if this is in violation of
> SMTP (RFC5321) [1].
> - Make ${run} split program arguments first and then expand variables while
> keeping the arguments order. This would require help from upstream.
[...]
Doesn't ${quote: ...} help here? - A quick test with the attached
patch sems to suggest it does. - Could you verify this?
thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff --git a/30_exim4-config_check_rcpt b/30_exim4-config_check_rcpt
index ac347aa..b7b2f70 100644
--- a/30_exim4-config_check_rcpt
+++ b/30_exim4-config_check_rcpt
@@ -267,8 +267,8 @@ acl_check_rcpt:
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
\"$sender_host_address\" --identity \
${if def:sender_address_domain \
- {--scope mfrom --identity \"$sender_address\"}\
- {--scope helo --identity \"$sender_helo_name\"}}}\
+ {--scope mfrom --identity ${quote:$sender_address}}\
+ {--scope helo --identity ${quote:$sender_helo_name}}}}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
defer
