On 05/02/2025 10:34, Andrew Bernard via Exim-users wrote:
Can anybody explain to me what tainting is? I find no reference to it in the Hazel book on Exim. Consequently I have no idea how to debug issues with the pipe driver.
Exim has rich facilities for interpreting strings. These are known as "string expansions". It is extremely unwise to expand data supplied by a potential attacker (cf. the Log4j brouhaha). For this reason, Exim tracks data received from external channels, regarding it an "tainted", and refuses to use it for anything sensitive (including expansions). There are many references in the docs; I suggest starting with the Concept Index. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
