Author: Arkadiusz Miśkiewicz Date: To: exim-users Subject: Re: [exim] safe handling of $tls_sni
On Monday 17 of October 2016, Phil Pennock wrote: > On 2016-10-12 at 14:50 +0200, Arkadiusz Miśkiewicz wrote:
> > Docs say that $tls_sni has raw data from client:
> >
> > "Great care should be taken to deal with matters of case, various
> > injection attacks in the string (../ or SQL), and ensuring that a valid
> > filename can always be referenced; it is important to remember that
> > $tls_sni is arbitrary unverified data provided prior to authentication."
>
> Someone read the text I wrote! Woohoo!
>
> (It only took a few years ...)
>
> > What is safest approach to handle $tls_sni when trying
> > to expand it to file on filesystem?
>
> Use a cryptographic hash for the filename.
Sounds smart.
> Or base64-encode it.
"/" is part of base64 alphabet, so would have to replace that with other
character, too.