Re: [exim] tainted data issues

Top Page
Delete this message
Reply to this message
Author: Mike Tubby
Date:  
To: exim-users
New-Topics: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Subject: Re: [exim] tainted data issues


On 10/11/2020 08:37, Julian Bradfield via Exim-users wrote:
> I thought it was standard practice in introducing a new feature that
> causes major breakage to existing installations, to take a three step
> approach. First you provide the feature, and give it an enabling
> switch with three levels "off", "warn but don't error", "on".
> Then in successive releases you change the default value of the
> enabling switch, and ultimately you remove the enabling switch.
>
> I understand that taint protection is considered a security feature,
> but it's a feature exim users have done without for decades, so I
> can't really see that there was a particularly urgent need to
> introduce it in a big bang.
>


In one word "upvote".

I am all for improved security but a single "step change" that breaks
existing configurations is IMHO going too far.

    taint_mode = off | warn | enforce

Would have been nice ;-)


Mike