Re: [exim] Exim 4.94 Taint issues

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Eduardo M KALINOWSKI
Datum:  
To: exim-users
Betreff: Re: [exim] Exim 4.94 Taint issues
On 18/07/2020 02:22, Andreas Metzler via Exim-users wrote:
> On 2020-07-18 The Doctor via freebsd-ports <freebsd-ports@???> wrote:
>> Trying Exim 4.94 and I am getting
>
>> 2020-07-17 19:28:04.818 [8344] 1jwbdQ-00023D-Cx == doctor@??? R=localuser T=local_delivery defer (-1) DT=0.001s: Tainted '/var/mail/doctor' (file or directory name for local_delivery transport) not permitted
> Exim specification, concept index, de-tainting.
>
> cu Andreas
>

Except that there isn't such a section.

There's "tainted data" and inside it "de-tainting". Easily found by word
search, but not by manual search under "D".

But finding what you mean is not the problem. The problem is that there
isn't a section of the manual devoted to this concept of tainted data
and untaiting it. The links under the concepts above lead to general
sections about expansions and lookups, that talk about a lot of things,
and the references to tainting are generally cryptic mentions of "cannot
be used on tainted data" or "the return is not tainted".

There really needs to be a section devoted to tainted strings (what they
are, which data is tainted, etc) and how to de-taint them, preferably
with examples of common use cases.

>From what I can remember, even the Release notes had only brief mentions

of this new feature, which is a major breaking change. I appreciate the
effort the development team has put in Exim over the years, and I know
that writing documentation is hard and time-consuming. But this needed
to be better documented from the start.


--
The only way to amuse some people is to slip and fall on an icy pavement.

Eduardo M KALINOWSKI
eduardo@???