Why not use a simple whitelist string replacement? All characters but some known valid characters (say [a-zA-Z0-9_.-]) are replaced with a known valid character (say _)? We use that in puppet all the time to generate paths. As long as you disallow slashes you don't even have to worry about .. appearing in there. Potentially a check for a maximum length might be useful to add but that should fail on its own if the filesystem can not handle it.
Matthias The 2020-06-29 09:12:23, Michael Haardt via Exim-users wrote: > Matthias Hörmann via Exim-users <[email protected]> wrote: > > This essentially gets me back to where I started. I *want* any domains > > and local parts to be created as part of this process. I can live with > > the case where it won't create paths with dangerous characters (that > > never happened on dozens of servers in years of using this config, > > possibly because we filter addresses for valid characters in our ACLs) > > but I can not live with having to know any possible domain and local > > part in advance. > > That is a valid use case. I believe we need an alternative way to > verify tainted strings. The solution Jeremy gave was right in spirit, > but lookups shouldn't be the only way to verify strings. It would be > possible to encode additional verification methods in lookups, though. > Partially dsearch does that by not allowing "." and ".." as keys. > A lookup either returns data or fails, and that's exactly the interface > verification needs. > > For file systems, a function/lookup that verifies a part is a path > component (no slash inside), not . or .., and of a certain maximum length, > would be helpful. Perhaps it needs a base directory to use pathconf()? > > Michael > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- Mit freundlichen Grüßen, Matthias Hörmann fon: +49 (0) 521 - 329647-29 fax: +49 (0) 521 - 329647-40 email: [email protected] --------------- saltation GmbH & Co. KG | Niederwall 43 | 33602 Bielefeld Sitz Bielefeld | Amtsgericht Bielefeld HRA 15344 Persönlich haftende Gesellschafterin: saltation Beteiligungs-GmbH | Niederwall 43 | 33602 Bielefeld Sitz Bielefeld | Amtsgericht Bielefeld HRB 39339 Geschäftsführer: Daniel Brün --------------- Wir erfüllen unsere Informationspflichten gem. Artt. 13-14 DS-GVO durch Veröffentlichung auf unserer Internetseite unter https://www.saltation.com/de/datenschutzerklaerung.html oder durch Zusendung auf Ihre formlose Anfrage. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
