With this said, I have reservations about removing a quote macro without research. It does more than just quote wrap a variable, it also escapes quotes and other special characters from the variable
To be honest, I'm no expert in this source code, but if the variables $sender_host_address or $sender_address come from metadata that the user controls, they can create a malicious payload and achieve ACE in a subprocess. This might not be an issue at all, and the variable could be properly sanitized by this point, but it's a concern I'd like to investigate before removing it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056372 Title: Enabling SPF checks with CHECK_RCPT_SPF doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/2056372/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs