Re: [exim] Sieve filters broken due to tainted expansions?

Top Page

Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Sieve filters broken due to tainted expansions?
On 07/01/2020 20:20, Michael Haardt via Exim-users wrote:
> This is quite likely an internal expansion from sieve.c:2327. I did
> not really follow the list recently, so I missed the introduction of
> "tainted" expansions, but the code does this:
>
>       expand_header(&header_value,h);
>       header_def=expand_string(string_sprintf("${if def:header_%s {true}{false}}",quote(h)));
>       if (header_value.character == NULL || header_def == NULL)


Yes, I found that location also. But, so far, all the coding
looks ok - and a quick testcase finds no issues.

> That's to expand and check if a header is defined in order to
> compare it with a value. Perhaps there is a better way to do
> that


That depends somewhat on how much modularity we want to maintain
(here, between the sieve-filter code - which is somewhat of an
add-on - and the exim core code. We could, for instance, provide
and use native interfaces for querying headers rather than going
via the expansions facility). But it's not wrong to be using
those expansions IF the strings being expanded as untainted
(obviously the results could be; in fact _will_ be for headers).

Actually, explaining that has made me wonder... where was the
filter script coming from for Tobias' case, and do we consider
that as a trusted source or a tainted one?    I'll have a dig
in that direction.
-- 
Cheers,
  Jeremy