Re: [exim] Suggestion: detainting via string exp

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Sebastian Nielsen
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Suggestion: detainting via string exp
Not by any user outside (thats why I suggest that even any string expansion
in <charlist> should be disallowed - so its not possible to inject ANY data
outside of config file). A system administrator could do it, but then its
deliberate and his own fault.

The idea was to permit a safe form of detainting, in the same way that
regular expressions do detaint in Perl.

You could for example do this in perl:

$taint =~ m/^(.*)$/;
$detaint = $1;

And you would have bypassed that security measure. But then its the
programmers own fault.

You are however supposed to do like:

$taint =~ m/([a-zA-Z0-9]*)/;
$detaint = $1;

The idea is more that currently, to detaint, you must specify a whitelist of
domains to allow, prohibiting use of for example filenames for sender
domains. Why that? Isn't it better to allow any domain but as long as the
data is safe to pass on?

Its not like it would be unsafe to pass "evildomain.com" to a pipe or file
transport, whats unsafe is if $domain would contain characters allowing a
remote user to escape out from the directory or command, and thus write
outside of system-administrators restricted location (ergo command
injection).

Thats why I suggest a character-based detainting system, where you specify
allowed characters instead, which would allow many forms of tainted data to
pass, but scrubbed from any danger.

-----Ursprungligt meddelande-----
Från: Jeremy Harris via Exim-users <exim-users@???>
Skickat: den 3 juni 2020 13:23
Till: exim-users@???
Ämne: Re: [exim] Suggestion: detainting via string exp

On 03/06/2020 11:56, Sebastian Nielsen via Exim-users wrote:
> I have a suggestion, and that is to allow detainting of data via a new

string expansion called detaint.${detaint{<string>}{<charlist>}}

No.

Absolutely not.

This would be an open invitation to evade the security measure.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/