Taint: tweak internal documentation

diff --git a/src/src/local_scan.h b/src/src/local_scan.h
index da9a8911adbc703d4971bd9b882807604b8c7b7a..548f70dbd60f9ce7648711130965e6d6a1f13fad 100644 (file)
--- a/src/src/local_scan.h
+++ b/src/src/local_scan.h
@@ -9,7 +9,10 @@
 source for the local_scan.c() function. It contains definitions that are made
 available for use in that function, and which are documented.
 
-This API is also used for functions called by the ${dlfunc expansion item. */
+This API is also used for functions called by the ${dlfunc expansion item.
+Coders of dlfunc routines should read the notes on tainting at the start of
+store.c
+*/
 
 
 /* Some basic types that make some things easier, the Exim configuration

diff --git a/src/src/store.c b/src/src/store.c
index b65649f4aad1db3c55d976b5f55c09e295554b9d..61f9464af58bdd76b42d07529a05cce8bc78001c 100644 (file)
--- a/src/src/store.c
+++ b/src/src/store.c
@@ -62,9 +62,11 @@ The following different types of store are recognized:
   recopy a string being built into a tainted allocation if it meets a %s for a
   tainted argument.  Any intermediate-layer function that (can) return a new
   allocation should behave this way; returning a tainted result if any tainted
-  content is used.  Users of functions that modify existing allocations should
-  check if a tainted source and an untainted destination is used, and fail instead
-  (sprintf() being the classic case).
+  content is used.  Intermediate-layer functions (eg. Ustrncpy) that modify
+  existing allocations fail if tainted data is written into an untainted area.
+  Users of functions that modify existing allocations should check if a tainted
+  source and an untainted destination is used, and fail instead (sprintf() being
+  the classic case).
 */