On 25/07/2019 17:16, Ryan Castellucci via Exim-dev wrote:
> I welcome any feedback on these proposed changes.
Without denying the possible value of such restrictions,
a more general protection against this class of exploits
has been developed, and hit the git repo yesterday:
f3ebb786e Track
Hi,
I wanted to share some simple patches I've written for Exim that make
exploitation of string expansion more difficult.
The first one adds a config option to globally disable "${run {...}}":
https://gist.github.com/ryancdotorg/2643c2662a7e0f7554ecec295fb23c0c
This hooks up a global