[exim] safe handling of $tls_sni

Top Page
Delete this message
Reply to this message
Author: Arkadiusz Miśkiewicz
Date:  
To: exim-users
New-Topics: [exim] SNI and DANE TLSA record monitoring (was: safe handling of $tls_sni)
Subject: [exim] safe handling of $tls_sni

Hi.

Docs say that $tls_sni has raw data from client:

"Great care should be taken to deal with matters of case, various injection
attacks in the string (../ or SQL), and ensuring that a valid filename can
always be referenced; it is important to remember that $tls_sni is arbitrary
unverified data provided prior to authentication."


What is safest approach to handle $tls_sni when trying
to expand it to file on filesystem?

Rule like:
${if exists{/etc/mail/ssl/${tls_sni}.pem}{/etc/mail/ssl/${tls_sni}.pem}{/etc/mail/default-cert.pem}

--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )