[exim-dev] [Bug 1062] increase the maximum recursion depth f…

Top Pagina
Delete this message
Reply to this message
Auteur: Phil Pennock
Datum:  
Aan: exim-dev
Onderwerp: [exim-dev] [Bug 1062] increase the maximum recursion depth for ACLs
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1062

Phil Pennock <pdp@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pdp@???





--- Comment #1 from Phil Pennock <pdp@???> 2011-01-13 05:09:44 ---
I remain opposed to this change.

The only proponent is using recursion in ACL invocation based upon URLs
encountered in a message body. Changing the maximum recursion depth just moves
the problem around, it doesn't fix anything. But because the incident rate
drops, people stop paying attention to the actual problem: with a sufficiently
broken configuration, which pushes stack frames, with the number of those stack
frames based upon content under attacker control, stack overflows will happen.
Increasing the count permitted by Exim just increases the odds of encountering
an OS ulimit.

Do not use recursion in ACLs based upon message body content.

The proponent's asked for other ways to do this and another mechanism was
pointed out at the time. He has neglected to change his set-up but instead
wants us to encourage bad practice.

Unless one of the other maintainers speaks up to support this change, I will
close this bug WONTFIX.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email