Autor: Evgeniy Berdnikov Data: Para: exim-users Assunto: Re: [exim] Taint checker confusing error (blaming file but caused
by later ldap lookup)
On Wed, Dec 22, 2021 at 10:15:54PM +0100, Michael Haardt via Exim-users wrote: > Evgeniy Berdnikov via Exim-users <exim-users@???> wrote:
> > Think a bit. Lot of examples may be found in one minute.
> > For example, you have to check user's quota, which is stored in some
> > database. You have to extract current maibox size, quota limit, then
> > add message size to box size and compare with limit.
> > It's natural to use runtime variables, isn't it?
>
> In that example static analysis can decide which variables are tainted
> and which are not. The variable values change at runtime, that is all.
Static analysis can't be done today because it is not implemented yet.
And the crutial difference bitween compile-time and runtime checking
(or bitween imagination and reality) is that any model can't be ideal.
But practical security requires bulletproof solutions.
--
Eugene Berdnikov