Re: [exim] tainted data issues

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jeremy Harris
Dátum:  
Címzett: exim-users
Új témák: Re: [exim] tainted data issues
Tárgy: Re: [exim] tainted data issues
On 10/11/2020 20:45, Sebastian Nielsen via Exim-users wrote:
> I think as I said, provide a untaint tool, that allows custom data to verify
> against.
>
> Like:
> ${untaint(${var},
> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")}


No; this is a bad idea.

It is far to easy for someone to write a matcher which just
untaints everything, disabling the security. Three people
would do that, and one would post it on serverfault. Then
it would be cargo-culted forever.
--
Cheers,
Jeremy