https://bugs.exim.org/show_bug.cgi?id=2118
Florian Weimer <[email protected]> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |[email protected]
--- Comment #6 from Florian Weimer <[email protected]> ---
Maybe it would be possible to avoid accepting further command line arguments
after â-fâ, but that doesn't seem sufficiently backwards-compatible.
However, it's not clear what performs the token splitting of the â-fâ
argument
here. There's clearly a very significant bug in there somewhere in the stack.
It's also rather strange that something would pass the âHost:â header
contents
unchanged to a sendmail invocation, even if it were a valid domain.
On the other hand, Exim already supports the â--â option list terminator, so
PHP (or whatever calls the sendmail program) just needs to follow recommend
practices for constructing command lines:
https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-Tasks-Processes.html#idm225434989808
(Robust argument list processing)
--
You are receiving this mail because:
You are on the CC list for the bug.--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
