Andrew C Aitchison <[email protected]> wrote: > > I don't understand why require_files did not trigger the check, though, > > but using the tainted variable $local_part there will be a problem. > > As I understand, "require_files" detaints, > since a secure file-system is a database of trust.
The file system is, but $local_part could be "../whatever", ending up in a quite different file than what the admin had in mind, so using require_files on a tainted value should cause an error. However, https://www.exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_routers.html does not say anything regarding tainted values one way or the other. dsearch does not allow ".." as path component. Michael -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
