Re: [exim] Taint checking and exim 4.96rc0

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Taint checking and exim 4.96rc0
On 30/04/2022 00:54, Slavko (tblt) via Exim-users wrote:
> Yes, as i wrote the same already some time ago, some generic
> ${detaint:...} expansion is missing.


That would be instantly abused.

> verify recipients from my MX to my other MTA (where local DB are
> stored) by callout. But that doey not detaint recipient address nor
> domain,


That's worthy of consideration; thank you for the idea.
Essentially, it would be treating a backend MTA as a trusted DB
for lookup.

> As redis support is not full (and on Debian is missing at all) i use
> ${run ...} to communicate with redis and i afraid, that i will have
> problems to use it in new version,


Volunteers to work on any aspect, including redis support, are
always welcome. It really needs someone who uses it and finds
a facility lacking (meaning: not me).

In the meantime, the ${run } expansion is not taint-checked
(and therefore still fertile ground for security breaches).

--
Cheers,
Jeremy