Re: [exim] Another strange log about tainting

Góra strony
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
Dla: exim-users
Temat: Re: [exim] Another strange log about tainting
On 11/12/2019 00:51, Ian Zimmerman via Exim-users wrote:
> I see now - I call expand_string programatically in my dlexpand
> modules.
>
> So, next question: is the result of expand_string _always_ tainted?


No. Taint should only attach to information from the external
input. However, for dlexpand code it's up to the coder to
manage this since the implementation works by using differently-
tagged memory for tainted/untaintated values. "Manage" here
means: use the right sort of memory for the info you're
putting in it. You can compromise the tainting protection if
you get it wrong.

Memory gotten with a taint flag set is tainted, and attempts
to further expand strings in such memory gets trapped
(with that error message you saw). All other memory (ether gotten with
the taint arg false, or stack-autos, or globals... whatever) is
supposed to be untainted. If something goes wrong with that it's
a bug.

So: what sort of memory were you expanding, and what string was in it
(just "${exim_version}" ? That plus something else (what)? )?

> And
> is there a way to get the version _at run time_ in some other way?


Using $variables _is_ the way.
--
Cheers,
Jeremy