You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2010/03/02 12:25:25 UTC
[Bug 6358] New: Configuration options from file now tainted
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6358
Summary: Configuration options from file now tainted
Product: Spamassassin
Version: 3.3.0
Platform: All
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P5
Component: Libraries
AssignedTo: dev@spamassassin.apache.org
ReportedBy: decoder@own-hero.net
Hello there,
opening this in bugzilla to discuss here (as discussed via mail before):
Since SA 3.3.0, SA seems to consider variables that are read from configuration
files as tainted, even if they are read through the normal SA configuration
parser API. I don't really see the point for this because these options are
meant to be controlled by the user (explicitly), that's why they are in a
configuration file. In my case, these are even controlled only by the system
administrator. Furthermore, the SA parser already performs checks on these
values based on that is specified in the parser options.
Unfortunately, this change hasn't even been listed in the ChangeLog (apologies
if it is listed and I just haven't seen it yet), so I don't fully know yet when
something is considered tainted and when not.
What is the preferred way/recommendation of the devs here? As a short fix, I
untainted all configuration values again after the parser has finished.
Cheers,
Chris
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6358] Configuration options from file now tainted
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6358
Kevin A. McGrail <km...@pccc.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@pccc.com
--- Comment #1 from Kevin A. McGrail <km...@pccc.com> 2012-01-18 23:44:19 UTC ---
Can you mention a real-world problem this causes, please?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6358] Configuration options from file now tainted
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6358
decoder@own-hero.net <de...@own-hero.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |decoder@own-hero.net
--- Comment #2 from decoder@own-hero.net <de...@own-hero.net> 2012-01-18 23:50:37 UTC ---
Although this bug is ancient and I don't maintain the plugin anymore, this
caused plugins to malfunction if they did not explicitly untaint configuration
values that the SA config parser gave them.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.