Re: [exim] Taint checking and exim 4.96rc0

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJeremy Harris at <-
MJeremy Harris at ->
Delete this message
Reply to this message
Author: James
Date:  
To: exim-users
Subject: Re: [exim] Taint checking and exim 4.96rc0
On 01/05/2022 11:19, Jeremy Harris via Exim-users wrote:
> If that subject string for the hash operator was less than
> 33 chars long, the operator returns it unchanged.
> If an attacker slipped some SQL syntax in there, your lookup
> would not do what you expected.

The hash did not do what I expect.

$ echo 1 | md5sum
b026324c6904b2a9cb4b88d6d61c81d1 -

> So it was already broken, lacking a quoting operation,
> and 4.96 discovered this for you.

Indeed, most grateful and I changed my config without complaint. All I
was doing was answering the question "Do we have *new* taintchecks..."





This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Taint checking and exim 4.96rc0Re: [exim] Taint checking and exim 4.96rc0->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)