Re: [exim-dev] [Bug 2601] Taint for $sender_address_domain?

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: martynas
CC: exim-dev
Subject: Re: [exim-dev] [Bug 2601] Taint for $sender_address_domain?
On Wed, 17 Jun 2020, admin--- via Exim-dev wrote:

> https://bugs.exim.org/show_bug.cgi?id=2601
>
> --- Comment #2 from martynas@??? ---
> Yes, but why do we trust message body then? Like:
> if $message_body matches "...."
> then
> seen finish
> endif
>
> The thing I don't get - why is $message_body safer than $sender_address_domain
> ?


As I understand it, the result of "matches" is untainted,
since the answer is effectively a boolean.

Your system filter line
     if $sender_address_domain: is
is not a complete statement.
"is" comes between two arguments and its result is also untainted.


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???