Re: [exim] Taint checking and exim 4.96rc0

トップ ページ
このメッセージを削除
このメッセージに返信
著者: James
日付:  
To: exim-users
題目: Re: [exim] Taint checking and exim 4.96rc0
On 01/05/2022 11:19, Jeremy Harris via Exim-users wrote:
> If that subject string for the hash operator was less than
> 33 chars long, the operator returns it unchanged.
> If an attacker slipped some SQL syntax in there, your lookup
> would not do what you expected.


The hash did not do what I expect.

$ echo 1 | md5sum
b026324c6904b2a9cb4b88d6d61c81d1 -

> So it was already broken, lacking a quoting operation,
> and 4.96 discovered this for you.


Indeed, most grateful and I changed my config without complaint. All I
was doing was answering the question "Do we have *new* taintchecks..."