Hi
I'm testing 4.94 for possible issues regarding recent tainting changes -
and found one similar to one discussed in other thread but a bit
different (more info below).
It seems that Jeremy is all against creating generic string detaint -
but I don't agree and I still needed quick workaround so I tested
something like this using mysql (that is already used by my exim):
replaced:
file = /archive/from-${authenticated_id}/${tod_logfile}
with:
file = /archive/from-${lookup mysql {
select regexp_replace('${quote_mysql:$authenticated_id}',
'[^A-Za-z0-9_.-]', '') }}/${tod_logfile}
I know I could just use
file = /archive/from-${lookup mysql {
select '${quote_mysql:$authenticated_id}'}}/${tod_logfile}
but I wanted example which matches proposed "detaint" function.
To explain original case further:
It seems that $authenticated_id is marked as tainted, it's set in
server_set_id = $auth1
but it was already validated via database (the user is authenticated) -
so in this particular case it could be marked as untainted (ie. I know
it's safe to use it because I know that logins don't contain any
characters that would break filenames). I'm not really happy that I'm
not allowed to apply this knowledge.
I cannot use lookup-dsearch to detaint because the archive file may not
exist (it's created as needed), the same applies to directory (it
doesn't exist for fresh users, it may never be created for users that
don't send mail). This is the same problem others pointed out.
best regards
--
Marcin Gryszkalis, PGP 0xA5DBEEC7
http://fork.pl/gpg.txt
