Re: [exim] tainted data issues

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Heiko Schlittermann
Data:  
Para: exim-users
Assunto: Re: [exim] tainted data issues
Sander Smeenk via Exim-users <exim-users@???> (Mi 05 Mai 2021 17:10:39 CEST):
> Quoting Jeremy Harris via Exim-users (exim-users@???):
>
> > It is far to easy for someone to write a matcher which just
> > untaints everything, disabling the security. Three people
> > would do that, and one would post it on serverfault. Then
> > it would be cargo-culted forever.
>
> You mean like this 'hack'?
> https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/
>
>
> TL;DR:
>
> Late to the party i see, but i was bitten by the new 'tainted
> data'-feature yesterday and after reading this thread, i too would
> really like to see that ${untaint{}{}} idea implemented.


In case you didn't notice. We've added a new but already deprecated main
config option:

        allow_insecure_tainted_data = yes


For this option you need to get exim-4.94.2+fixes. This option isn't
part of 4.94.2!

This option allowes you to turn the taint errors into warnings and is
provided to help you in reworking your config into a more secure one.
Future Exim release (not sure about "future" though) will ignore this
option.

Debian 11 includes this patch already. Exim 4.95 will kind of offically
suppport this option too. But, as said above, it is deprecated already
today.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -