------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1062 --- Comment #2 from Andrey N. Oktyabrski <[email protected]> 2011-01-13 07:28:22 --- (In reply to comment #1) > The only proponent is using recursion in ACL invocation based upon URLs > encountered in a message body. Changing the maximum recursion depth just > moves > the problem around, it doesn't fix anything. But because the incident rate > drops, people stop paying attention to the actual problem: with a sufficiently > broken configuration, which pushes stack frames, with the number of those > stack > frames based upon content under attacker control, stack overflows will > happen. > Increasing the count permitted by Exim just increases the odds of encountering > an OS ulimit. What you think about the configuration option "acl_recursion_depth" with hardcoded maximum value 200 and default 20? I can made this patch if it pointful. > Do not use recursion in ACLs based upon message body content. Not all things can be made by the ${reduce ...} How can I iterate through, for example, ${lookup dnsdb ...} result? Or $recipients list? I would not use recursion if something same as "while" cycle exists. But in exim configuration I have not any cycle operator. > The proponent's asked for other ways to do this and another mechanism was > pointed out at the time. He has neglected to change his set-up but instead > wants us to encourage bad practice. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
