[exim-cvs] Doc/Spec: section "Trust in configuration data"

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Doc/Spec: section "Trust in configuration data"
Gitweb: http://git.exim.org/exim.git/commitdiff/69aca2feaca1ebbc55c6f1adaee4738dc328ae90
Commit:     69aca2feaca1ebbc55c6f1adaee4738dc328ae90
Parent:     b79bf0ff013a1cbb22845ffa15411d5af30bf278
Author:     Phil Pennock <pdp@???>
AuthorDate: Thu Oct 24 20:38:28 2013 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Thu Oct 24 20:46:27 2013 -0400


    Doc/Spec: section "Trust in configuration data"
---
 doc/doc-docbook/spec.xfpt |   37 +++++++++++++++++++++++++++++++++++++
 1 files changed, 37 insertions(+), 0 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ec01e16..c71dfda 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -35863,6 +35863,8 @@ are given in chapter &<<CHAPappendfile>>&.

.new
.section "Running local commands" "SECTsecconslocalcmds"
+.cindex "security" "local commands"
+.cindex "security" "command injection attacks"
There are a number of ways in which an administrator can configure Exim to run
commands based upon received, untrustworthy, data. Further, in some
configurations a user who can control a &_.forward_& file can also arrange to
@@ -35907,6 +35909,41 @@ Consider the use of the &%inlisti%& expansion condition instead.



+
+.new
+.section "Trust in configuration data" "SECTsecconfdata"
+.cindex "security" "data sources"
+.cindex "security" "regular expressions"
+.cindex "regular expressions" "security"
+.cindex "PCRE" "security"
+If configuration data for Exim can come from untrustworthy sources, there
+are some issues to be aware of:
+
+.ilist
+Use of &%${expand...}%& may provide a path for shell injection attacks.
+.next
+Letting untrusted data provide a regular expression is unwise.
+.next
+Using &%${match...}%& to apply a fixed regular expression against untrusted
+data may result in pathological behaviour within PCRE. Be aware of what
+"backtracking" means and consider options for being more strict with a regular
+expression. Avenues to explore include limiting what can match (avoiding &`.`&
+when &`[a-z0-9]`& or other character class will do), use of atomic grouping and
+possessive quantifiers or just not using regular expressions against untrusted
+data.
+.next
+It can be important to correctly use &%${quote:...}%&,
+&%${quote_local_part:...}%& and &%${quote_%&<&'lookup-type'&>&%:...}%& expansion
+items to ensure that data is correctly constructed.
+.next
+Some lookups might return multiple results, even though normal usage is only
+expected to yield one result.
+.endlist
+.wen
+
+
+
+
.section "IPv4 source routing" "SECID272"
.cindex "source routing" "in IP packets"
.cindex "IP source routing"