Re: [exim] Taint checking and exim 4.96rc0

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Kirill Miazine
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Taint checking and exim 4.96rc0
• Jeremy Harris via Exim-users [2022-04-29 23:40]:
> > I'd welcome some generic way to untaint data.
>
> If you know of one which does not require a list
> of known-good values, and is not trivially abusable
> by blind copy-pasting of recipes found on random blogs -
> I'm all ears.


I think that something like ${untaint{$unsafe}{pattern}} could work.

The reason for this is that taint checking is to prevent untrusted
external data from being used in dangerous ways and thus cause troubles
to the system where Exim is running. Pattern would be a regular
expression, which should match the entire $unsafe string, or a *, which
would match anything and which would imply that the user knows what they
are doing. Whether or not to allow * could be a complike time flag.

-- 
    -- Kirill Miazine <km@???>