Re: [exim] tainted data issues

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jeremy Harris
Datum:  
To: exim-users
Neue Treads: Re: [exim] tainted data issues
Betreff: Re: [exim] tainted data issues
On 10/11/2020 20:45, Sebastian Nielsen via Exim-users wrote:
> I think as I said, provide a untaint tool, that allows custom data to verify
> against.
>
> Like:
> ${untaint(${var},
> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")}


No; this is a bad idea.

It is far to easy for someone to write a matcher which just
untaints everything, disabling the security. Three people
would do that, and one would post it on serverfault. Then
it would be cargo-culted forever.
--
Cheers,
Jeremy