[exim-dev] [Bug 2850] New: query-style lookup parameter safety enforcement

admin--- via Exim-dev Thu, 23 Dec 2021 03:18:42 -0800

https://bugs.exim.org/show_bug.cgi?id=2850


            Bug ID: 2850
           Summary: query-style lookup parameter safety enforcement
           Product: Exim
           Version: 4.95
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: Lookups
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]

We have quote_<lookuptype> expansion operators to make arguments for
query-style
lookups safe, but no way to enforce use.

How about some development of the taint-tracking to do so?
Noting that a tainted arg is legitimate, indeed common.


Possibly: a dynamically-created tainted lookup pool, used for the result of
a tainted arg to a quote_ operator.  Pool is tagged by the quoting type.
Further expansions of strings of this type stay in this pool
(legitimate subclass of the current taint-tracking rule).

Then: at the handover to the lookup implementation, test for taint *not* of
this
special class (and error out if so).  Either untainted or this class is ok.

We wouldn't be able to handle stacked quoting of different types, but that's
a pretty unlikely case.


Inspired by
https://lists.exim.org/lurker/message/20211222.175742.8bec4b65.en.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2850] New: query-style lookup parameter safety enforcement

Reply via email to