You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2010/03/02 12:25:25 UTC

[Bug 6358] New: Configuration options from file now tainted

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6358

           Summary: Configuration options from file now tainted
           Product: Spamassassin
           Version: 3.3.0
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Libraries
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: decoder@own-hero.net


Hello there,


opening this in bugzilla to discuss here (as discussed via mail before):

Since SA 3.3.0, SA seems to consider variables that are read from configuration
files as tainted, even if they are read through the normal SA configuration
parser API. I don't really see the point for this because these options are
meant to be controlled by the user (explicitly), that's why they are in a
configuration file. In my case, these are even controlled only by the system
administrator. Furthermore, the SA parser already performs checks on these
values based on that is specified in the parser options.

Unfortunately, this change hasn't even been listed in the ChangeLog (apologies
if it is listed and I just haven't seen it yet), so I don't fully know yet when
something is considered tainted and when not.

What is the preferred way/recommendation of the devs here? As a short fix, I
untainted all configuration values again after the parser has finished.


Cheers,


Chris

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6358] Configuration options from file now tainted

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6358

Kevin A. McGrail <km...@pccc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kmcgrail@pccc.com

--- Comment #1 from Kevin A. McGrail <km...@pccc.com> 2012-01-18 23:44:19 UTC ---
Can you mention a real-world problem this causes, please?

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6358] Configuration options from file now tainted

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6358

decoder@own-hero.net <de...@own-hero.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |decoder@own-hero.net

--- Comment #2 from decoder@own-hero.net <de...@own-hero.net> 2012-01-18 23:50:37 UTC ---
Although this bug is ancient and I don't maintain the plugin anymore, this
caused plugins to malfunction if they did not explicitly untaint configuration
values that the SA config parser gave them.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.