Re: [exim] Taint checking and exim 4.96rc0

On 30/04/2022 00:54, Slavko (tblt) via Exim-users wrote:
> Yes, as i wrote the same already some time ago, some generic
> ${detaint:...} expansion is missing.

That would be instantly abused.

> verify recipients from my MX to my other MTA (where local DB are
> stored) by callout. But that doey not detaint recipient address nor
> domain,

That's worthy of consideration; thank you for the idea.
Essentially, it would be treating a backend MTA as a trusted DB
for lookup.

> As redis support is not full (and on Debian is missing at all) i use
> ${run ...} to communicate with redis and i afraid, that i will have
> problems to use it in new version,

Volunteers to work on any aspect, including redis support, are
always welcome. It really needs someone who uses it and finds
a facility lacking (meaning: not me).

In the meantime, the ${run } expansion is not taint-checked
(and therefore still fertile ground for security breaches).

--
Cheers,
Jeremy