From f0ed88dac3d0bb2ec10c3e799d4b410b3ec2c0c4 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 11 Dec 2019 10:07:08 +0000 Subject: Taint: tweak internal documentation --- src/src/local_scan.h | 5 ++++- src/src/store.c | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/src/local_scan.h b/src/src/local_scan.h index da9a8911a..548f70dbd 100644 --- a/src/src/local_scan.h +++ b/src/src/local_scan.h @@ -9,7 +9,10 @@ source for the local_scan.c() function. It contains definitions that are made available for use in that function, and which are documented. -This API is also used for functions called by the ${dlfunc expansion item. */ +This API is also used for functions called by the ${dlfunc expansion item. +Coders of dlfunc routines should read the notes on tainting at the start of +store.c +*/ /* Some basic types that make some things easier, the Exim configuration diff --git a/src/src/store.c b/src/src/store.c index b65649f4a..61f9464af 100644 --- a/src/src/store.c +++ b/src/src/store.c @@ -62,9 +62,11 @@ The following different types of store are recognized: recopy a string being built into a tainted allocation if it meets a %s for a tainted argument. Any intermediate-layer function that (can) return a new allocation should behave this way; returning a tainted result if any tainted - content is used. Users of functions that modify existing allocations should - check if a tainted source and an untainted destination is used, and fail instead - (sprintf() being the classic case). + content is used. Intermediate-layer functions (eg. Ustrncpy) that modify + existing allocations fail if tainted data is written into an untainted area. + Users of functions that modify existing allocations should check if a tainted + source and an untainted destination is used, and fail instead (sprintf() being + the classic case). */ -- cgit v1.2.3