On 22/12/2021 17:57, Michael Haardt via Exim-users wrote:
Would it be possible to expand all strings when reading the configuration
without causing side effects to check any attempt of using tainted data
at start up?
No. Variables are used for data which varies on a finer grain
than "exim starting up". For the specific case, $domain varies
with individual recipient (even within a given message).
Does Exim do lazy evaluation during string expansion?
It does.
Also, though rarely used, it's not impossible for the
source of a string getting expanded to come from a
runtime-variable place. Exim is that flexible.
If not,
dummy values should suffice for the purpose of checking if
string expansions refer to tainted variables. This would also
point out the attempt to use non-existant variables and verify
overall syntax.
Well, given that reason nobody needed taint checking to begin with. ;-)
You've not been following the log4j mess, obviously.
It's not funny at all.
Taint tracking for Exim was introduced because just such a mistake
was found in the then Exim default config. It was a CVE.
The obvious point fix was done, but I decided it was just too simple
for anybody writing config to make a similar error.
There was actually a previous change made for similar reasons,
a decade back: the right-hand-side of certain expansions was made
no-longer-expanded. It was deemed too easy to write a security hole.
This was an incompatible change, just like the introduction of
taint-tracking.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
