DBI has a taint setting, where data coming into DBI is checked, and data going out is marked as tainted. This is enabled in processmail only. We already manually check data going into the db. Stuff coming from the db is a problem, because: a) this is only done in processmail b) its useless Seriously, we have to trust what comes out of the database - theres really no point if we don't. And adding trick_taint calls to every single db query strikes me as a useless waste of time. So I'd like to remove the stuff from processmail. Comments?

I agree.

Agreed. do it. I like the manual taint checking on SendSQL that you came up with better anyway. :-) (and the DBI docs say the taint mode is subject to change anyhow)

Sounds good to me. Bradley: I'm going to roll this change into the uber patch for bug 124174, which we talked about my taking over to push it through review and checkin on IRC. This is, of course, assuming that the situation is still the same as it was when we had that conversation (i.e. you're free time availability is low, you're gone, etc.) That's a high priority bug for me right now, what with *my* free time availability.

I might do this separately, simply because this will allow me to remove some ugly stuff for bug 43600. Its one line + comments, so it won't take that much time... (Plus a mail to the DBI list asknig for taintin and taintout to be separated)

This is the quick patch. Removing unneeded taint stuff can happen later, when processmail is package-ised.

-> me

Comment on attachment 94601 [details] [diff] [review] v1 Gets r= from Joel. No 2xr needed.

Comment on attachment 94601 [details] [diff] [review] v1 Apparently, 'no 2xr needed' is being done by checking both boxes.

Checked in.