Not by any user outside (thats why I suggest that even any string expansion in <charlist> should be disallowed - so its not possible to inject ANY data outside of config file). A system administrator could do it, but then its deliberate and his own fault.
The idea was to permit a safe form of detainting, in the same way that regular expressions do detaint in Perl. You could for example do this in perl: $taint =~ m/^(.*)$/; $detaint = $1; And you would have bypassed that security measure. But then its the programmers own fault. You are however supposed to do like: $taint =~ m/([a-zA-Z0-9]*)/; $detaint = $1; The idea is more that currently, to detaint, you must specify a whitelist of domains to allow, prohibiting use of for example filenames for sender domains. Why that? Isn't it better to allow any domain but as long as the data is safe to pass on? Its not like it would be unsafe to pass "evildomain.com" to a pipe or file transport, whats unsafe is if $domain would contain characters allowing a remote user to escape out from the directory or command, and thus write outside of system-administrators restricted location (ergo command injection). Thats why I suggest a character-based detainting system, where you specify allowed characters instead, which would allow many forms of tainted data to pass, but scrubbed from any danger. -----Ursprungligt meddelande----- Från: Jeremy Harris via Exim-users <[email protected]> Skickat: den 3 juni 2020 13:23 Till: [email protected] Ämne: Re: [exim] Suggestion: detainting via string exp On 03/06/2020 11:56, Sebastian Nielsen via Exim-users wrote: > I have a suggestion, and that is to allow detainting of data via a new string expansion called detaint.${detaint{<string>}{<charlist>}} No. Absolutely not. This would be an open invitation to evade the security measure. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
