[exim-dev] [Bug 1643] Security hole in sqlite query

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1643] Security hole in sqlite query
https://bugs.exim.org/show_bug.cgi?id=1643

--- Comment #3 from Phil Pennock <pdp@???> ---
Where did you see these examples? In the Exim documentation? Elsewhere?

We can reach out to people and try to get them to update bad examples, but
generally "it's on the Internet" isn't a good enough indicator of
trustworthiness. The Exim Specification is the canonical documentation; it
comes with Exim in text format, is available for download in multiple formats
and is accessible via the http://www.exim.org/ website.

There's the potential for some improvement here, like "reject empty strings",
but what when the value is "no" or "0" ... we're playing a losing game of
chasing after all the ways that people can screw up. The docs are very clear,
fail the expansion if you want auth to fail because you can't provide a secret.

--
You are receiving this mail because:
You are on the CC list for the bug.