On 2020-07-18 Eduardo M KALINOWSKI via Exim-users <exim-users@???> wrote:
> On 18/07/2020 02:22, Andreas Metzler via Exim-users wrote:
[...]
> > Exim specification, concept index, de-tainting.
> Except that there isn't such a section.
> There's "tainted data" and inside it "de-tainting". Easily found by word
> search, but not by manual search under "D".
Hello,
I had doublechecked that what I refered to does exist before I sent my
response.
ametzler@argenau:~$ w3m -dump 'https://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html' | grep -A6 de-tainting
de-tainting
File and database lookups [Examples of different lookup syntax], File
and database lookups [Lookup types], Domain, host, address, and local
part lists [Domain lists], Domain, host, address, and local part lists
[Domain lists], Domain, host, address, and local part lists [Domain
lists]
[...]
> From what I can remember, even the Release notes had only brief mentions
> of this new feature, which is a major breaking change.
There is a pretty fat note in README.UPDATING:
Exim version 4.94
-----------------
| Some Transports now refuse to use tainted data in constructing their
| delivery location; this WILL BREAK configurations which are not updated
| accordingly. In particular: any Transport use of $local_part which has
| been relying upon check_local_user far away in the Router to make it
| safe, should be updated to replace $local_part with $local_part_data.
> I appreciate the
> effort the development team has put in Exim over the years, and I know
> that writing documentation is hard and time-consuming. But this needed
> to be better documented from the start.
While I agree this is true documention grows with the code, IMHO best
practises are still emerging and we might still see a big hammer like
quote-maximum-lenght-no-evil-characters-including-directory-separators
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
