Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
On 06-05-2021 15:01:33 +0200, Andreas K. Huettel wrote: > > Unfortunately there is not much documentation on "tainted" data for > > Exim[1], and to resolve this, non-official sources need to be used, > > such as [2] and [3]. > > This is a safety mechanism that is part of Perl (essentially a way of > tracking data that is derived from "insecure" sources). > > So it probably would make sense to at least point towards that concept > in Perl. I think the concept is clear to most from the descriptions one can find. The big problem however is the solution, how to fix one's configuration. Luckily it seems people find their way to Exim's bugtracker to get help there. Thanks for the suggestion though, Fabian -- Fabian Groffen Gentoo on a different level signature.asc Description: PGP signature
Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
Am Sonntag, 2. Mai 2021, 11:56:34 CEST schrieb Fabian Groffen: > Title: Exim >=4.94 disallows tainted variables in transport > configurations Author: Fabian Groffen > Posted: 2021-05-?? > Revision: 1 > News-Item-Format: 2.0 > Display-If-Installed: mail-mta/exim > > Since the release of Exim-4.94, transports refuse to use tainted > data in constructing a delivery location. If you use this in your > transports, your configuration will break, causing errors and > possible downtime. > > Particularly, the use of $local_part in any transport, should likely > be updated with $local_part_data. Check your local_delivery > transport, which historically used $local_part. > > Unfortunately there is not much documentation on "tainted" data for > Exim[1], and to resolve this, non-official sources need to be used, > such as [2] and [3]. This is a safety mechanism that is part of Perl (essentially a way of tracking data that is derived from "insecure" sources). So it probably would make sense to at least point towards that concept in Perl. https://perldoc.perl.org/perlsec -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
On 02-05-2021 12:23:30 +0200, Ulrich Mueller wrote: > > On Sun, 02 May 2021, Fabian Groffen wrote: > > > Title: Exim >=4.94 disallows tainted variables in transport configurations > > Title is too long (GLEP 42 allows 50 chars max). ah, missed that > I have no idea what this news item is trying to tell me. But I don't use > Exim, so probably that's the reason. :) Maybe mention at least that Exim > is a mailer? Fair point. Thanks, Fabian -- Fabian Groffen Gentoo on a different level signature.asc Description: PGP signature
Re: [gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
> On Sun, 02 May 2021, Fabian Groffen wrote: > Title: Exim >=4.94 disallows tainted variables in transport configurations Title is too long (GLEP 42 allows 50 chars max). > Author: Fabian Groffen > Posted: 2021-05-?? > Revision: 1 > News-Item-Format: 2.0 > Display-If-Installed: mail-mta/exim > Since the release of Exim-4.94, transports refuse to use tainted data in > constructing a delivery location. If you use this in your transports, > your configuration will break, causing errors and possible downtime. > Particularly, the use of $local_part in any transport, should likely be > updated with $local_part_data. Check your local_delivery transport, > which historically used $local_part. > Unfortunately there is not much documentation on "tainted" data for > Exim[1], and to resolve this, non-official sources need to be used, such > as [2] and [3]. I have no idea what this news item is trying to tell me. But I don't use Exim, so probably that's the reason. :) Maybe mention at least that Exim is a mailer? Ulrich > [1] https://lists.exim.org/lurker/message/20201109.222746.24ea3904.en.html > [2] https://mox.sh/sysadmin/tainted-filename-errors-in-exim-4.94/ > [3] > https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/ signature.asc Description: PGP signature
[gentoo-dev] [News item review] Exim >=4.94 transports: tainted not permitted
Title: Exim >=4.94 disallows tainted variables in transport configurations Author: Fabian Groffen Posted: 2021-05-?? Revision: 1 News-Item-Format: 2.0 Display-If-Installed: mail-mta/exim Since the release of Exim-4.94, transports refuse to use tainted data in constructing a delivery location. If you use this in your transports, your configuration will break, causing errors and possible downtime. Particularly, the use of $local_part in any transport, should likely be updated with $local_part_data. Check your local_delivery transport, which historically used $local_part. Unfortunately there is not much documentation on "tainted" data for Exim[1], and to resolve this, non-official sources need to be used, such as [2] and [3]. [1] https://lists.exim.org/lurker/message/20201109.222746.24ea3904.en.html [2] https://mox.sh/sysadmin/tainted-filename-errors-in-exim-4.94/ [3] https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/ -- Fabian Groffen Gentoo on a different level signature.asc Description: PGP signature