Re: [exim] Re: sensitive data appearing in delay warning mes…

Top Page
Delete this message
Reply to this message
Author: Alexander V Alekseev
Date:  
To: exim-users
CC: Philip Hazel, Brian Candler
Subject: Re: [exim] Re: sensitive data appearing in delay warning messages [was: Please help!]
        Hello!

     First of all, many, MANY THANKS to Brian Candler, who was the 
only man, who noticed my second (!) message about this bug. (The first
was a month ago).


On Sat, 16 Apr 2005, Philip Hazel wrote:

>>> if quota lookup fails.
>>
>> Hmm. Yes, that looks like a real problem.
>
> The next release of Exim will contain this change, that I did a couple
> of weeks ago:
>
> PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in
>      an address' error message when a string expansion fails (syntax or
>      whatever). Otherwise not only does the password appear in the log, it may
>      also be put in a bounce message.

>
> The patch is below. Note the comment. It is a band-aid. Brian's idea of
> noting whether an expansion contains a "hide" variable and using that
> as a criterion for not giving details is also worth exploring WIGAM
> (when I get a moment).

     The sysadmins, whom I advised Exim were shocked, that it sends
internal data in bounce messages. ;-((
     Would you explore idea not to send in bounces _any_ internal 
information? If anyone wants it to be sent, he can add it to 
bounce_message_text manually. (For example, on any internal error
only "Internal error" can be sent.)


     Thank you for patch, but it works only if pass= doesn't contain
space. But really, text of search must not be shown in bounce message
(but should be in log file). (I'll modify it for myself, but it's not 
good.)



         Bye. Alex.