Re: [exim-dev] [Bug 2601] Taint for $sender_address_domain?

Top Page
This message is part of the following thread:
M++\the complete thread tree sorted by date
MMMMadmin at <-
M 
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: martynas
CC: exim-dev
Subject: Re: [exim-dev] [Bug 2601] Taint for $sender_address_domain?
On Wed, 17 Jun 2020, admin--- via Exim-dev wrote:

> https://bugs.exim.org/show_bug.cgi?id=2601
>
> --- Comment #2 from martynas@??? ---
> Yes, but why do we trust message body then? Like:
> if $message_body matches "...."
> then
> seen finish
> endif
>
> The thing I don't get - why is $message_body safer than $sender_address_domain
> ?

As I understand it, the result of "matches" is untainted,
since the answer is effectively a boolean. 

Your system filter line
     if $sender_address_domain: is
is not a complete statement.
"is" comes between two arguments and its result is also untainted.


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???


This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 2601] Taint for $sender_address_domain?[exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clients->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)