Gitweb:
http://git.exim.org/exim.git/commitdiff/69aca2feaca1ebbc55c6f1adaee4738dc328ae90
Commit: 69aca2feaca1ebbc55c6f1adaee4738dc328ae90
Parent: b79bf0ff013a1cbb22845ffa15411d5af30bf278
Author: Phil Pennock <pdp@???>
AuthorDate: Thu Oct 24 20:38:28 2013 -0400
Committer: Phil Pennock <pdp@???>
CommitDate: Thu Oct 24 20:46:27 2013 -0400
Doc/Spec: section "Trust in configuration data"
---
doc/doc-docbook/spec.xfpt | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ec01e16..c71dfda 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -35863,6 +35863,8 @@ are given in chapter &<<CHAPappendfile>>&.
.new
.section "Running local commands" "SECTsecconslocalcmds"
+.cindex "security" "local commands"
+.cindex "security" "command injection attacks"
There are a number of ways in which an administrator can configure Exim to run
commands based upon received, untrustworthy, data. Further, in some
configurations a user who can control a &_.forward_& file can also arrange to
@@ -35907,6 +35909,41 @@ Consider the use of the &%inlisti%& expansion condition instead.
+
+.new
+.section "Trust in configuration data" "SECTsecconfdata"
+.cindex "security" "data sources"
+.cindex "security" "regular expressions"
+.cindex "regular expressions" "security"
+.cindex "PCRE" "security"
+If configuration data for Exim can come from untrustworthy sources, there
+are some issues to be aware of:
+
+.ilist
+Use of &%${expand...}%& may provide a path for shell injection attacks.
+.next
+Letting untrusted data provide a regular expression is unwise.
+.next
+Using &%${match...}%& to apply a fixed regular expression against untrusted
+data may result in pathological behaviour within PCRE. Be aware of what
+"backtracking" means and consider options for being more strict with a regular
+expression. Avenues to explore include limiting what can match (avoiding &`.`&
+when &`[a-z0-9]`& or other character class will do), use of atomic grouping and
+possessive quantifiers or just not using regular expressions against untrusted
+data.
+.next
+It can be important to correctly use &%${quote:...}%&,
+&%${quote_local_part:...}%& and &%${quote_%&<&'lookup-type'&>&%:...}%& expansion
+items to ensure that data is correctly constructed.
+.next
+Some lookups might return multiple results, even though normal usage is only
+expected to yield one result.
+.endlist
+.wen
+
+
+
+
.section "IPv4 source routing" "SECID272"
.cindex "source routing" "in IP packets"
.cindex "IP source routing"
