> Yes, but its a positive match only - meaning you have to explicitly > specify allowed characters.The function should NOT be able to > specify forbidden characters - as then it would ve easy to miss bad > characters.If an sysadmin then writes a filter which is too broad - > its his own fault.
History has vividly demonstrated that providing a toolkit and asking people to build their own secure implementation from it does not create effective security (although it does let you blame a different set of people for the resulting insecurity). Many people will either make mistakes or not know all of the surprises and traps that are lurking, and so won't know to counter them. Effective security is almost always created by a few people who know the area very well spending a bunch of time to thoroughly explore all of the dark corners, then building something with as few options as possible (ideally none). Or to put it another way: I feel that people should not need to be experts in knowing what are safe and dangerous characters and character sequences in order to create safe Exim configurations. If they have to be such experts, there will be a lot of unsafe Exim configurations created. I think it's potentially sensible to provide an escape hatch, but I don't think that it should be the only way to do it; I think it should only be something that you resort to if you have highly unusual needs. And I share Jeremy Harris's worry that it will be cargo-culted and copied widely, even then. (Possibly unlike Jeremy Harris, I feel that if Exim provides no such safe-ish general un-tainting, people will still find ways to do it and then cargo-cult it. People are going to cargo-cult answers for this; the only question is whether Exim can help make that as safe as possible.) - cks -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/