Track tainted data and refuse to expand it

2 files changed, 16 insertions, 1 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c4d6112ad..32d57d027 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -9219,7 +9219,13 @@ dependent upon the option for which a value is sought; in this documentation,
 options for which string expansion is performed are marked with † after
 the data type.  ACL rules always expand strings.  A couple of expansion
 conditions do not expand some of the brace-delimited branches, for security
-reasons.
+reasons,
+.new
+.cindex "tainted data" expansion
+.cindex expansion "tainted data"
+and expansion of data deriving from the sender (&"tainted data"&)
+is not permitted.
+.wen
 
 
 
@@ -39543,6 +39549,11 @@ was received from the client, this records the Distinguished Name from that
 certificate.
 .endlist
 
+.new
+Any of the above may have an extra hyphen prepended, to indicate the the
+corresponding data is untrusted.
+.wen
+
 Following the options there is a list of those addresses to which the message
 is not to be delivered. This set of addresses is initialized from the command
 line when the &%-t%& option is used and &%extract_addresses_remove_arguments%&
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2e839039c..78cb12720 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -149,6 +149,10 @@ JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
 
 JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
 
+JH/32 Introduce a general tainting mechanism for values read from the input
+      channel, and values derived from them.  Refuse to expand any tainted
+      values, to catch one form of exploit.
+
 
 Exim version 4.92
 -----------------