Use ${quote:xxx} when invoking spfquery

Use exim's ${quote:xxx} operator when invoking spfquery to disallow
bypassing of SPF validation by using special mailbox names. (Thanks to
Lekensteyn for diagnosis and testing.) Closes: #697057

2 files changed, 6 insertions, 3 deletions

diff --git a/debian/changelog b/debian/changelog
index 5e9617b..e8247e9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,9 @@ exim4 (4.80-7) UNRELEASED; urgency=low
   * Remove obsolete conffile /etc/cron.monthly/exim4-base which was only
     shipped in 4.69-3. Closes: #689334
   * Update exim_db.8, syncing  against spec.txt from exim 4.80.
+  * Use exim's ${quote:xxx} operator when invoking spfquery to disallow
+    bypassing of SPF validation by using special mailbox names. (Thanks to
+    Lekensteyn for diagnosis and testing.) Closes: #697057
 
  -- Andreas Metzler <ametzler@debian.org>  Sun, 25 Nov 2012 09:30:18 +0100
 
diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
index ac347aa..4949587 100644
--- a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
+++ b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
@@ -265,10 +265,10 @@ acl_check_rcpt:
     log_message = SPF check failed.
     !acl = acl_local_deny_exceptions
     condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
-                   \"$sender_host_address\" --identity \
+                   ${quote:$sender_host_address} --identity \
                    ${if def:sender_address_domain \
-                       {--scope mfrom  --identity \"$sender_address\"}\
-                       {--scope helo --identity  \"$sender_helo_name\"}}}\
+                       {--scope mfrom  --identity ${quote:$sender_address}}\
+                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                    {no}{${if eq {$runrc}{1}{yes}{no}}}}
 
   defer