Re: [exim] tainted data issues

Pàgina inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
A: exim-users
Assumptes nous: Re: [exim] tainted data issues
Assumpte: Re: [exim] tainted data issues
On 10/11/2020 20:45, Sebastian Nielsen via Exim-users wrote:
> I think as I said, provide a untaint tool, that allows custom data to verify
> against.
>
> Like:
> ${untaint(${var},
> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")}


No; this is a bad idea.

It is far to easy for someone to write a matcher which just
untaints everything, disabling the security. Three people
would do that, and one would post it on serverfault. Then
it would be cargo-culted forever.
--
Cheers,
Jeremy