Re: [exim] string expansion fail with missing } at end of st…

Góra strony
Delete this message
Reply to this message
Autor: Peter Gervai
Data:  
Dla: exim-users
Temat: Re: [exim] string expansion fail with missing } at end of string
Hello Phil,

On Mon, Oct 7, 2013 at 11:06 PM, Phil Pennock <exim-users@???> wrote:
> On 2013-10-07 at 12:13 +0200, Peter Gervai wrote:
>> > ${if match_ip{$sender_host_address}{ ${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=$sender_address_domain}}}} } {no}{yes}}
>
> We had too many people creating security holes through misconfiguration
> so I introduced EXPAND_LISTMATCH_RHS and defaulted it off; this is in
> the second-last paragraph of the description of match_ip in The Exim
> Specification.


Ah, you're right. My bad.

> You fell afoul of the one place where Exim behaves inconsistently; it
> does so because the right-hand-side is a list.


What I was thinking is maybe the error message could hint this
possibility, but I'm not sure it can be separated from the normal
parameter error cases. Just mentioning, maybe.

> Thus if the dnsdb string were slightly different and looked up something
> which could return a TXT record or a hostname, then you would have an
> injection attack against the configuration using DNS as a vector.


Indeed, I agree with the move.

> Since you found a way which works, and which I hope is simpler to read,
> understand and debug, I think you're good?


Yes thank you, I'm good. It was originally about the nice fragments on the wiki:

https://github.com/Exim/exim/wiki/Verification

where the ADSL examples actually won't work under the new regime since
they're using the condition with match_ip and a lookup. The rewrite is
tougher since the acl already contains a '!hosts' predicament so I
only attached a comment at the end and let the end user find a
solution. Evil. :-)

(A hack would be to expand the string first into a variable I guess,
or to combine teh existing hosts check with the new one, but it
doesn't look to be simple.)

In my case I had no previous hosts check so for me it was easy.

Thanks,
Peter