With this said, I have reservations about removing a quote macro without
research. It does more than just quote wrap a variable, it also escapes
quotes and other special characters from the variable

To be honest, I'm no expert in this source code, but if the variables
$sender_host_address or $sender_address come from metadata that the user
controls, they can create a malicious payload and achieve ACE in a
subprocess.

This might not be an issue at all, and the variable could be properly
sanitized by this point, but it's a concern I'd like to investigate
before removing it.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056372

Title:
  Enabling SPF checks with CHECK_RCPT_SPF doesn't work

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/2056372/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to