[exim-dev] [Bug 2850] New: query-style lookup parameter safe…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2850] New: query-style lookup parameter safety enforcement
https://bugs.exim.org/show_bug.cgi?id=2850

            Bug ID: 2850
           Summary: query-style lookup parameter safety enforcement
           Product: Exim
           Version: 4.95
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: Lookups
          Assignee: unallocated@???
          Reporter: jgh146exb@???
                CC: exim-dev@???


We have quote_<lookuptype> expansion operators to make arguments for
query-style
lookups safe, but no way to enforce use.

How about some development of the taint-tracking to do so?
Noting that a tainted arg is legitimate, indeed common.


Possibly: a dynamically-created tainted lookup pool, used for the result of
a tainted arg to a quote_ operator. Pool is tagged by the quoting type.
Further expansions of strings of this type stay in this pool
(legitimate subclass of the current taint-tracking rule).

Then: at the handover to the lookup implementation, test for taint *not* of
this
special class (and error out if so). Either untainted or this class is ok.

We wouldn't be able to handle stacked quoting of different types, but that's
a pretty unlikely case.


Inspired by
https://lists.exim.org/lurker/message/20211222.175742.8bec4b65.en.html

--
You are receiving this mail because:
You are on the CC list for the bug.