Re: [exim] de-tainting

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Robert Blayzor
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] de-tainting
That fact that string sub-sitution and matching parts don't even work
now is a real problem...

data = ${expand:"|/command -c ${if match
{$local_part}{.*foo[\-\+]([a-z0-9]+).*}{$1}{}}"}


Won't even work because matching only numbers and letters is still
considered "tainted".

Forcing everything to a static lookup is a bit harsh for a dot release
that snuck under the radar and broke everything....

There should of been ample deprecation notice with a default to "off"
before this was forced out.



On 6/26/20 5:54 PM, Sebastian Nielsen via Exim-users wrote:
> <permitted_characters> is NOT expanded, meaning only character that needs to
> be escaped in that circumstance is { and }.
>
> Example:
> ${filter{$phonenumber}{0123456789}}
>
> Would simply strip all characters except 0-9 from $phonenumber and return in
> untainted form, so if $phonenumber contains "hey0do56" then
> ${filter{$phonenumber}{0123456789}} will return 056



--
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP: https://pgp.inoc.net/rblayzor/