On 2025/10/27 5:39 AM, Marc MERLIN via Exim-users wrote:
# Explicitly untaint by capturing the validated local_part
address_data = ${sg{${lc:$local_part}}{^([a-zA-Z0-9_.-]+)\$}{\$1}}
To supplement the actual answer other have given, some background:
Were ${sg } to deliver de-tainted results it would be far too simple
to write an RE similar to ".*" - and some bright spark would note this
and publish a blog titled "One weird trick to solve all your Exim problems!",
and we'd be back in log4j land.
Exim is not clever enough to intuit meaning from an RE.
--
Cheers,
Jeremy
PS: The "Concept Index" for the main documentation for Exim
(https://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html)
has a subsection on "de-tainting".
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
