Re: [exim] Taint checking and exim 4.96rc0

Top Page
Delete this message
Reply to this message
Author: Kirill Miazine
Date:  
To: exim-users
Subject: Re: [exim] Taint checking and exim 4.96rc0
• Jeremy Harris via Exim-users [2022-04-29 23:40]:
> > I'd welcome some generic way to untaint data.
>
> If you know of one which does not require a list
> of known-good values, and is not trivially abusable
> by blind copy-pasting of recipes found on random blogs -
> I'm all ears.


I think that something like ${untaint{$unsafe}{pattern}} could work.

The reason for this is that taint checking is to prevent untrusted
external data from being used in dangerous ways and thus cause troubles
to the system where Exim is running. Pattern would be a regular
expression, which should match the entire $unsafe string, or a *, which
would match anything and which would imply that the user knows what they
are doing. Whether or not to allow * could be a complike time flag.

-- 
    -- Kirill Miazine <km@???>