On 22/12/2021 13:11, Michael Haardt via Exim-users wrote:
Perhaps quote_ldap should return an untainted string?
No, it does no real checking so would just be
an easy thing to abuse.
How would you do that? After all, originally it was introduced to prevent
just that, so people need to know.
Or are you talking about using quote_ldap outside the scope of ldap queries?
The latter. Having quote_ldap do a detaint operation
would be foolish, because it could (and would) be used in
any context, including non-ldap-lookup ones, to defeat the
purpose of taint-tracking. It could even potentially be
used as part of an exploit.
My "it" was referring to quote_ldap.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
