Re: [exim] de-tainting

Góra strony
Delete this message
Reply to this message
Autor: Robert Blayzor
Data:  
Dla: exim-users
Temat: Re: [exim] de-tainting
On 6/29/20 12:18 PM, Kurt Jaeger via Exim-users wrote:
> One thing I'll test is if we hand values over to perl, maybe
> we'll get back untainted value...
>
> Or did me beat someone to that already ? 8-}



I did not test that, I would imagine that should work because how would
it really know what return values you are sending back.

I know that using sg{} or {if match {} {} {}} does not work, string
expansion fails...

Even this fails...

${if match {$local_part}{.*sms[\-\+]([a-z0-9]+).*}{$1}{}}


With expansion failure due to tainted... I'm clearly just pulling how
known safe data, so it should be considered de-tainted....


There is literally no difference vs doing some fake lookup...


--
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP: https://pgp.inoc.net/rblayzor/