Autor: Sebastian Nielsen Datum: To: exim-users Betreff: [exim] Suggestion: detainting via string exp
I have a suggestion, and that is to allow detainting of data via a new string expansion called detaint.${detaint{<string>}{<charlist>}}Idea is that you supply the string you want detainted, and a "permitted character list" where all characters not on that list will be deleted.However, <charlist> must be untainted. Would even be better to completely disable string expansion for <charlist>.Example:if $domain contains "sebbe.eu/../../../../etc/passwd"then${detaint{$domain}{abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.}}will return:sebbe.eu........etcpasswdin detainted form - which will be safe to use as a filenameOF COURSE its the system administrator's resposibility to supply a character list that is "safe" for the use case of said tainted data.Since of the new stricter taint rules, system administrators shouldn't need to specify complete domain whitelists, its better to allow for "any domain" as long as this "any domain" is scrubbed from any unsafe data.