appendfile: taint-enforce file & directory options

testsuite: bless facility

2 files changed, 11 insertions, 0 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 254ed69cc..bb2ce122c 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -22371,6 +22371,14 @@ If &%file%& or &%directory%& is set for a delivery from a redirection, it is
 used to determine the file or directory name for the delivery. Normally, the
 contents of &$address_file$& are used in some way in the string expansion.
 .endlist
+.new
+.cindex "tainted data" "in filenames"
+.cindex appendfile "tainted data"
+Tainted data may not be used for a file or directory name.
+This means that, for instance, &$local_part$& cannot be used directly
+as a component of a path.  It can however be used as the key for a lookup
+which returns a path (or component).
+.wen
 
 
 .cindex "Sieve filter" "configuring &(appendfile)&"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2b5b592c5..27292954a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -87,6 +87,9 @@ JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
       were used, and the second one (for mainlog/paniclog) retrieved null
       information.
 
+JH/20 Taint checking: disallow use of tainted data for the appendfile transport
+      file and directory options.  Previously this was permitted.
+
 
 Exim version 4.93
 -----------------