One of the major issues is that we should use safe parser flags for all inputs aside of the real configuration which we should really trust. It means that we need to disable macros, file variables and other UCL features when it is used to parse any potentially unsafe content. I do not treat it as a security vulnerability so far, as Rspamd operates with merely trusted content by HTTP by default, however, it is good to fix to avoid any potential future mususes or even exploits possibilities.
projects / thirdparty / rspamd.git / commitdiff
