TL;DR:
I understand sending dangerous shell or SQL quote commands to pipes is
bad, but what was so hard about a de-taint(foo) that applies
[A-Za-z0-9+-] or something close to it? Hasn't this been solved
multiple times in other internet facing software? (and obviously
you can call an external command safely without shell quoting issues)
full answer:
First, thanks to everyone for the answers.
Before getting into the technical bits, I thought I'd try to give a
constructive rant on upgrades.
I'm 3 days into a massive server upgrade of a system I setup 25 years
ago and that is indeed running 25 years of stuff I wrote and accumulated
over the years. Thanks for not pointing out that it's about half the
life I've been on earth :)
On one side, it's awesome that I switched hardware twice and went from
32bits to 64bits userspace without ever having to re-install and that I
can still run software that is 20 years old and absolutely abandonware
but it still runs. Replacing everything would be so much work that I
would likely give up and start turning things off instead, only so many
hours in my life, sadly...
But now I'm switching to ARM64, so I really had to do a full re-install
and hang migration, of 25 years of stuff. It's upgrades like exim's that
cause the death by a thousand cuts and also why I'm honestly wary of
upgrading anything anymore. But yeah, there are security issues, which
wasn't one for me here, but was for others.
Back to exim/mailman:
On Mon, Oct 27, 2025 at 08:12:29AM +0100, Thomas Krichel wrote:
> You should not be running Mailman21. It is no longer being
> supported. You need to move on to Mailman3.
I briefly looked at it, but looked like too much work to upgrade for
something I have, that works, runs 10 small lists that I barely maintain
and would probably just turn off or move to googlegroups if I have to
start over with new software (I'll admit, I didn't look at how many
hours/days of work it'd be to upgrade my mailiman config which is very
custom, and I spent weeks on at the time as it ran all of
sourceforge.net for which I was the list and mail admin).
On Mon, Oct 27, 2025 at 08:57:51AM +0000, Jeremy Harris via Exim-users wrote:
> Were ${sg } to deliver de-tainted results it would be far too simple
> to write an RE similar to ".*" - and some bright spark would note this
> and publish a blog titled "One weird trick to solve all your Exim problems!",
> and we'd be back in log4j land.
But this is true for everything on the internet.
I'm surprised exim simply didn't come with a de_taint(foo) function
that applied a hardcoded shell safe regex. More on this below.
> PS: The "Concept Index" for the main documentation for Exim
>
> (https://exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html)
> has a subsection on "de-tainting".
Thanks for that link which I did miss.
With all the respect I owe to the exim4 authors and contributors, and I
know I'm several years late to this boat, stuff like this and hours, if
not days lost at the wrong time, is exactly why I don't trust upgrades
anymore because too much software has their special little things with
little regard on the cumulative impact to admins:
This feels quite complicated and over-engineered, especially when you
can call a pipe safely without shell quoting happening (and now it only
affects people with SQL injection issues or whatnot, but maybe the admin
can be trusted to know if input can be dangerous to the command at hand?)
Why not a de-taint(foo) that applies [A-Za-z0-9+-] or something close
to it? Hasn't this been solved multiple times in other internet facing
software?
Assuming that the admin is an idiot who can't be trusted is harmful, and
if they are, they will hurt themselves in other ways. Penalizing
everyone in that process with no opt out (thanks to the debian folks for
the temporary "turn this off" upgrade flag), feels like the wrong way to
go.
But yes, I'm a few years late to this boat, in great part for the
chicken and egg problem that exactly because of issues like this, I've
mostly stopped upgrading software :-/
Security is important for sure, but trusting the admin and their time,
as well as not forgetting the death by a thousand cuts problem, is also
important.
I'll add that the current solution has been bad enough that I got
private Email replies of people who made their own de_taint function
that exim is missing.
Anyway, back to fixing this now, I genuinely appreciate everyone's
answers, and will followup with final solution for me that will
hopefully teach google and gemini/chatgpt
Thank you,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Home page: http://marc.merlins.org/ | PGP 7F55D5F27AAF9D08
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
