https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6358
Summary: Configuration options from file now tainted
Product: Spamassassin
Version: 3.3.0
Platform: All
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P5
Component: Libraries
AssignedTo: [email protected]
ReportedBy: [email protected]
Hello there,
opening this in bugzilla to discuss here (as discussed via mail before):
Since SA 3.3.0, SA seems to consider variables that are read from configuration
files as tainted, even if they are read through the normal SA configuration
parser API. I don't really see the point for this because these options are
meant to be controlled by the user (explicitly), that's why they are in a
configuration file. In my case, these are even controlled only by the system
administrator. Furthermore, the SA parser already performs checks on these
values based on that is specified in the parser options.
Unfortunately, this change hasn't even been listed in the ChangeLog (apologies
if it is listed and I just haven't seen it yet), so I don't fully know yet when
something is considered tainted and when not.
What is the preferred way/recommendation of the devs here? As a short fix, I
untainted all configuration values again after the parser has finished.
Cheers,
Chris
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
