Re: [exim] Expansion errors on upgrade to 4.80

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Expansion errors on upgrade to 4.80
On 23/07/16 17:19, Andy Bennett wrote:
> I've been running exim 4.72 for some time and last night I upgraded to 4.80.


You do realise 4.80 is well out-of-date now?



> failed to expand ACL string "${if
> !match_address{$h_From:}{${lookup{$sender_ident}lsearch{/etc/exim4/local_senders}}}}":
> missing or misplaced { or }


> LOCAL_SENDERS = ${lookup{$sender_ident}lsearch{/etc/exim4/local_senders}}


>           condition = ${if !match_address{$h_From:}{LOCAL_SENDERS}}


> This has been working fine in 4.76 but now the expansion seems to fail
> and it's not obvious to me as to why.
>
> I've read the ChangeLog


> Does anyone have any idea where I'm going wrong and what I can change to
> make it work again?


PP/11 match_* no longer expand right-hand-side by default.
      New compile-time build option, EXPAND_LISTMATCH_RHS.
      New expansion conditions, "inlist", "inlisti".



+# It has proven too easy in practice for administrators to configure
security
+# problems into their Exim install, by treating match_domain{}{} and
friends
+# as a form of string comparison, where the second string comes from
untrusted
+# data. Because these options take lists, which can include
lookup;LOOKUPDATA
+# style elements, a foe can then cause Exim to, eg, execute an
arbitrary MySQL
+# query, dropping tables.
+# From Exim 4.77 onwards, the second parameter is not expanded; it can
still
+# be a list literal, or a macro, or a named list reference. There is also
+# the new expansion condition "inlisti" which does expand the second
parameter,
+# but treats it as a list of strings; also, there's "eqi" which is probably
+# what is normally wanted.

--
Cheers,
Jeremy