Re: [exim] 4.96 simplegreylist taint

Top Page
Delete this message
Reply to this message
Author: jacob dahl pind
Date:  
To: exim-users
Subject: Re: [exim] 4.96 simplegreylist taint
On 8/4/22 18:56, Andrew C Aitchison via Exim-users wrote:

>
> Earlier in that page acl_m_greyident is defined as:
>   # Generate a hashed 'identity' for the mail, as described above.
>   warn set acl_m_greyident =
> ${hash{20}{62}{$sender_address$recipients$h_message-id:}}
> I don't know whether hash untaints ... but as I read the spec,
> if $sender_address$recipients$h_message-id: is less than 20 characters
> the hash returns this string, which should still be tainted.
> Other hash functions (md5, sha1, sha256 etc) which appear never to
> return the original string, and thus *may* not be tainted, are available.
>


You where right, I looked at source and the hash doesnt seem to have any
untaint , unlike the sha etc.

Change the line to
warn set acl_m_greyident =
${sha256:{$sender_address$recipients$h_message-id:}}

which did the trick.

regards