Re: [exim] 4.94 - taint - generic workaround

Top Page
Delete this message
Reply to this message
Author: Evgeniy Berdnikov
Date:  
To: exim-users
Subject: Re: [exim] 4.94 - taint - generic workaround
On Mon, Jul 20, 2020 at 11:05:46AM +0200, Marcin Gryszkalis via Exim-users wrote:
> On 19.07.2020 23:00, Evgeniy Berdnikov via Exim-users wrote:
> > On Sun, Jul 19, 2020 at 08:28:34PM +0200, Marcin Gryszkalis via

...
> >  ${lookup {string} nwildlsearch,ret=key {/run/detaint}\
> >        {expr-if-matched}{expr-if-fail}}

> >
> > where /run/detaint is file with character filter, in your case it may be
> > a single string with regex ^[\w\.\-]$ or
> >
> > ^[A-Za-z0-9_\.\-]+$
>
> As I understand this uses the change mentioned in 4.94-rc0 changes:
>
> "- - An option on all single-key lookups, to return (on a hit)
> a de-tainted version of the lookup key rather than the looked-up data."


Yes.

> If so - then I don't really understand why this is any better than
> proposed string expansion detaint{$val}{regexp/charlist}...


It's more powerful, because many matching patterns may be put in a file,
ranging from simple "character filters" to very complex constructs.
You can also put a single asterisk for blind "all-detainting", if it
suits you. This is a note about functional capabilities.

If your question was about user interface and look-and-feel,
I agree that direction of its evolution seems not right...
But I'm not an Exim developer. Developers may have other opinions.
--
Eugene Berdnikov