On Wed, 3 Jun 2020, Sebastian Nielsen via Exim-users wrote:
I have a suggestion, and that is to allow detainting of data via a
new string expansion called
detaint.${detaint{<string>}{<charlist>}}Idea is that you supply the
string you want detainted, and a "permitted character list" where
all characters not on that list will be deleted.However, <charlist>
must be untainted. Would even be better to completely disable string
expansion for <charlist>.Example:if $domain contains
"sebbe.eu/../../../../etc/passwd" then
${detaint{$domain}{abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.}}
will return: sebbe.eu........etcpasswd in detainted form - which
will be safe to use as a filename OF COURSE its the system
administrator's resposibility to supply a character list that is
"safe" for the use case of said tainted data.Since of the new
stricter taint rules, system administrators shouldn't need to
specify complete domain whitelists, its better to allow for "any
domain" as long as this "any domain" is scrubbed from any unsafe
data.
"Safe" as in will create a valid file, but not necessarily a unique one
eg 3.com.com and 3com.com will use the same file
(these are both real addresses:
# host -t mx 3.com.com
3.com.com mail is handled by 10 mx203.inbound-mx.net.
3.com.com mail is handled by 10 mx203.inbound-mx.org.
# host -t mx 3com.com
3com.com mail is handled by 10 mxa-00010e01.gslb.pphosted.com.
3com.com mail is handled by 10 mxb-00010e01.gslb.pphosted.com.
).
And what about domain names with special (ie non-ascii) characters ?
Did you know that .eu also maintains Greek and Cyrillic top level domains - see
https://eurid.eu/en/register-a-eu-domain/domain-names-with-special-characters-idns/
-----------------------
Exim has several hash functions. A hash of $domain is not as human readable
as your suggestion, but it would be a reasonable alternative filename,
although I have not verified that hashing untaints a string.
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
