https://bugs.exim.org/show_bug.cgi?id=2850
Bug ID: 2850
Summary: query-style lookup parameter safety enforcement
Product: Exim
Version: 4.95
Hardware: x86
OS: Linux
Status: NEW
Severity: wishlist
Priority: medium
Component: Lookups
Assignee: unallocated@???
Reporter: jgh146exb@???
CC: exim-dev@???
We have quote_<lookuptype> expansion operators to make arguments for
query-style
lookups safe, but no way to enforce use.
How about some development of the taint-tracking to do so?
Noting that a tainted arg is legitimate, indeed common.
Possibly: a dynamically-created tainted lookup pool, used for the result of
a tainted arg to a quote_ operator. Pool is tagged by the quoting type.
Further expansions of strings of this type stay in this pool
(legitimate subclass of the current taint-tracking rule).
Then: at the handover to the lookup implementation, test for taint *not* of
this
special class (and error out if so). Either untainted or this class is ok.
We wouldn't be able to handle stacked quoting of different types, but that's
a pretty unlikely case.
Inspired by
https://lists.exim.org/lurker/message/20211222.175742.8bec4b65.en.html
--
You are receiving this mail because:
You are on the CC list for the bug.
