| 1 |
Am Sonntag, 2. Mai 2021, 11:56:34 CEST schrieb Fabian Groffen: |
| 2 |
> Title: Exim >=4.94 disallows tainted variables in transport |
| 3 |
> configurations Author: Fabian Groffen <grobian@g.o> |
| 4 |
> Posted: 2021-05-?? |
| 5 |
> Revision: 1 |
| 6 |
> News-Item-Format: 2.0 |
| 7 |
> Display-If-Installed: mail-mta/exim |
| 8 |
> |
| 9 |
> Since the release of Exim-4.94, transports refuse to use tainted |
| 10 |
> data in constructing a delivery location. If you use this in your |
| 11 |
> transports, your configuration will break, causing errors and |
| 12 |
> possible downtime. |
| 13 |
> |
| 14 |
> Particularly, the use of $local_part in any transport, should likely |
| 15 |
> be updated with $local_part_data. Check your local_delivery |
| 16 |
> transport, which historically used $local_part. |
| 17 |
> |
| 18 |
> Unfortunately there is not much documentation on "tainted" data for |
| 19 |
> Exim[1], and to resolve this, non-official sources need to be used, |
| 20 |
> such as [2] and [3]. |
| 21 |
|
| 22 |
This is a safety mechanism that is part of Perl (essentially a way of |
| 23 |
tracking data that is derived from "insecure" sources). |
| 24 |
|
| 25 |
So it probably would make sense to at least point towards that concept |
| 26 |
in Perl. |
| 27 |
|
| 28 |
https://perldoc.perl.org/perlsec |
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
-- |
| 33 |
Andreas K. Hüttel |
| 34 |
dilfridge@g.o |
| 35 |
Gentoo Linux developer |
| 36 |
(council, toolchain, base-system, perl, libreoffice) |
Archives