[exim] Suggestion: detainting via string exp

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Sebastian Nielsen
Date:  
À: exim-users
Sujet: [exim] Suggestion: detainting via string exp
I have a suggestion, and that is to allow detainting of data via a new string expansion called detaint.${detaint{<string>}{<charlist>}}Idea is that you supply the string you want detainted, and a "permitted character list" where all characters not on that list will be deleted.However, <charlist> must be untainted. Would even be better to completely disable string expansion for <charlist>.Example:if $domain contains "sebbe.eu/../../../../etc/passwd"then${detaint{$domain}{abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.}}will return:sebbe.eu........etcpasswdin detainted form - which will be safe to use as a filenameOF COURSE its the system administrator's resposibility to supply a character list that is "safe" for the use case of said tainted data.Since of the new stricter taint rules, system administrators shouldn't need to specify complete domain whitelists, its better to allow for "any domain" as long as this "any domain" is scrubbed from any unsafe data.