Add perl_taintmode option

3 files changed, 23 insertions, 0 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index e30f17cc0..5eb3d1909 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -12977,6 +12977,17 @@ overriding the setting of &%perl_at_start%&.
 There is also a command line option &%-pd%& (for delay) which suppresses the
 initial startup, even if &%perl_at_start%& is set.
 
+.new
+.ilist
+.oindex "&%perl_taintmode%&"
+.cindex "Perl" "taintmode"
+To provide more security executing Perl code via the embedded Perl
+interpeter, the &%perl_taintmode%& option can be set. This enables the
+taint mode of the Perl interpreter. You are encouraged to set this
+option to a true value. To avoid breaking existing installations, it
+defaults to false.
+.wen
+
 
 .section "Calling Perl subroutines" "SECID86"
 When the configuration file includes a &%perl_startup%& option you can make use
@@ -13505,6 +13516,7 @@ listed in more than one group.
 .table2
 .row &%perl_at_start%&               "always start the interpreter"
 .row &%perl_startup%&                "code to obey when starting Perl"
+.row &%perl_taintmode%&		     "enable taint mode in Perl"
 .endtable
 
 
@@ -15622,14 +15634,20 @@ local parts. Exim's default configuration does this.
 
 
 .option perl_at_start main boolean false
+.cindex "Perl"
 This option is available only when Exim is built with an embedded Perl
 interpreter. See chapter &<<CHAPperl>>& for details of its use.
 
 
 .option perl_startup main string unset
+.cindex "Perl"
 This option is available only when Exim is built with an embedded Perl
 interpreter. See chapter &<<CHAPperl>>& for details of its use.
 
+.option perl_startup main boolean false
+.cindex "Perl"
+This Option enables the taint mode of the embedded Perl interpreter.
+
 
 .option pgsql_servers main "string list" unset
 .cindex "PostgreSQL lookup type" "server list"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 6c55bd82c..496e9d07e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -329,6 +329,8 @@ JH/35 Bug 1642: Fix support of $spam_ variables at delivery time.  Was
 JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
       added for tls authenticator.
 
+HS/03 Add perl_taintmode main config option
+
 
 Exim version 4.85
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 4f369bc65..07e6f1dba 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -9,6 +9,9 @@ the documentation is updated, this file is reduced to a short list.
 Version 4.88
 ------------
 
+ 1. The new perl_tainmode option allows to run the embedded perl
+    interpreter in taint mode.
+
 
 Version 4.87
 ------------