[prev in list] [next in list] [prev in thread] [next in thread]
List: exim-users
Subject: Re: [exim] 4.94 - taint - generic workaround
From: Evgeniy Berdnikov via Exim-users <exim-users () exim ! org>
Date: 2020-07-20 10:03:55
Message-ID: 20200720100354.GB2672 () protva ! ru
[Download RAW message or body]
On Mon, Jul 20, 2020 at 11:05:46AM +0200, Marcin Gryszkalis via Exim-users wrote:
> On 19.07.2020 23:00, Evgeniy Berdnikov via Exim-users wrote:
> > On Sun, Jul 19, 2020 at 08:28:34PM +0200, Marcin Gryszkalis via
...
> > ${lookup {string} nwildlsearch,ret=key {/run/detaint}\
> > {expr-if-matched}{expr-if-fail}}
> >
> > where /run/detaint is file with character filter, in your case it may be
> > a single string with regex ^[\w\.\-]$ or
> >
> > ^[A-Za-z0-9_\.\-]+$
>
> As I understand this uses the change mentioned in 4.94-rc0 changes:
>
> "- - An option on all single-key lookups, to return (on a hit)
> a de-tainted version of the lookup key rather than the looked-up data."
Yes.
> If so - then I don't really understand why this is any better than
> proposed string expansion detaint{$val}{regexp/charlist}...
It's more powerful, because many matching patterns may be put in a file,
ranging from simple "character filters" to very complex constructs.
You can also put a single asterisk for blind "all-detainting", if it
suits you. This is a note about functional capabilities.
If your question was about user interface and look-and-feel,
I agree that direction of its evolution seems not right...
But I'm not an Exim developer. Developers may have other opinions.
--
Eugene Berdnikov
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic