著者: Jeremy Harris 日付: To: exim-users 題目: Re: [exim] Taint checking and exim 4.96rc0
On 30/04/2022 00:54, Slavko (tblt) via Exim-users wrote: > Yes, as i wrote the same already some time ago, some generic
> ${detaint:...} expansion is missing.
That would be instantly abused.
> verify recipients from my MX to my other MTA (where local DB are
> stored) by callout. But that doey not detaint recipient address nor
> domain,
That's worthy of consideration; thank you for the idea.
Essentially, it would be treating a backend MTA as a trusted DB
for lookup.
> As redis support is not full (and on Debian is missing at all) i use
> ${run ...} to communicate with redis and i afraid, that i will have
> problems to use it in new version,
Volunteers to work on any aspect, including redis support, are
always welcome. It really needs someone who uses it and finds
a facility lacking (meaning: not me).
In the meantime, the ${run } expansion is not taint-checked
(and therefore still fertile ground for security breaches).