Except that most people would never think of either splitting the list
nor using quote_ldap. If I was a new user, I probably would struggle
with Exim for some time and then check alternatives, because currently
it is really hard to understand and use for many reasons, and I say that
as someone familiar with it since over 20 years.
The problem solved by taint checking is real, but I believe the current
approach is scary. Now I like Exim, so just thinking loud:
Would it be feasible to replace the tainted bool with a bitfield,
and have e.g. a file lookup only clear the bit for file operations and
quote_ldap only clear the bit for ldap?
Would it be possible to expand all strings when reading the configuration
without causing side effects to check any attempt of using tainted data
at start up?
How about introducing a new object (like ACL, router etc) that gets
tainted data and either produces untainted data or a data validation
failure? It would avoid the *_data side effect currently spread all
over the configuration and concentrate all checks in one place.
Just some ideas how we might improve the situation.