[prev in list] [next in list] [prev in thread] [next in thread] 

List:       exim-users
Subject:    Re: [exim] 4.94 - taint - generic workaround
From:       Evgeniy Berdnikov via Exim-users <exim-users () exim ! org>
Date:       2020-07-20 10:03:55
Message-ID: 20200720100354.GB2672 () protva ! ru
[Download RAW message or body]

On Mon, Jul 20, 2020 at 11:05:46AM +0200, Marcin Gryszkalis via Exim-users wrote:
> On 19.07.2020 23:00, Evgeniy Berdnikov via Exim-users wrote:
> > On Sun, Jul 19, 2020 at 08:28:34PM +0200, Marcin Gryszkalis via
...
> >  ${lookup {string} nwildlsearch,ret=key {/run/detaint}\
> >  	  {expr-if-matched}{expr-if-fail}}
> >
> >  where /run/detaint is file with character filter, in your case it may be
> >  a single string with regex ^[\w\.\-]$ or
> >
> >  ^[A-Za-z0-9_\.\-]+$
> 
> As I understand this uses the change mentioned in 4.94-rc0 changes:
> 
> "- - An option on all single-key lookups, to return (on a hit)
> a de-tainted version of the lookup key rather than the looked-up data."

 Yes.

> If so - then I don't really understand why this is any better than
> proposed string expansion detaint{$val}{regexp/charlist}...

 It's more powerful, because many matching patterns may be put in a file,
 ranging from simple "character filters" to very complex constructs.
 You can also put a single asterisk for blind "all-detainting", if it
 suits you. This is a note about functional capabilities.
 
 If your question was about user interface and look-and-feel,
 I agree that direction of its evolution seems not right...
 But I'm not an Exim developer. Developers may have other opinions.
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]