Re: [exim] Taint checking and exim 4.96rc0

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Slavko (tblt)
Date:  
À: exim-users
Sujet: Re: [exim] Taint checking and exim 4.96rc0
Dňa 29. apríla 2022 21:41:55 UTC používateľ Kirill Miazine via Exim-users <exim-users@???> napísal:

>I'd welcome some generic way to untaint data. E.g. Perl would allow to
>subpatterns from regular expression match to untaint parts of data. For
>local parts and domains there's kind of a way, but for local part
>affixes or sender addresses, I couldn't find a way.


Yes, as i wrote the same already some time ago, some generic
${detaint:...} expansion is missing. All current solutions are based
on "local" DB lookup. But it is not suitable e.g. to my case, where i
verify recipients from my MX to my other MTA (where local DB are
stored) by callout. But that doey not detaint recipient address nor
domain, thus i have to use some tricks to be able to use per
recipient/domain (something as) quarantine on MX...

As redis support is not full (and on Debian is missing at all) i use
${run ...} to communicate with redis and i afraid, that i will have
problems to use it in new version, etc, etc. I have very mixed feel.
And i can only afraid, what will arrive next. Perhaps reject to detaint
by that local DB values (as someone can insert insecure values
there)?

After more than 30 years in computer & network word i learn, that
software can either allow to do flexible configuration (including
mistakes) or do not allow to do mistakes (but without flexibility),
never can be achieved both at once... Until recent, exim was in the
first case and we will see, where it go.

Regards

--
Slavko