Track tainted data and refuse to expand it

1 files changed, 12 insertions, 1 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c4d6112ad..32d57d027 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -9219,7 +9219,13 @@ dependent upon the option for which a value is sought; in this documentation,
 options for which string expansion is performed are marked with † after
 the data type.  ACL rules always expand strings.  A couple of expansion
 conditions do not expand some of the brace-delimited branches, for security
-reasons.
+reasons,
+.new
+.cindex "tainted data" expansion
+.cindex expansion "tainted data"
+and expansion of data deriving from the sender (&"tainted data"&)
+is not permitted.
+.wen
 
 
 
@@ -39543,6 +39549,11 @@ was received from the client, this records the Distinguished Name from that
 certificate.
 .endlist
 
+.new
+Any of the above may have an extra hyphen prepended, to indicate the the
+corresponding data is untrusted.
+.wen
+
 Following the options there is a list of those addresses to which the message
 is not to be delivered. This set of addresses is initialized from the command
 line when the &%-t%& option is used and &%extract_addresses_remove_arguments%&