Re: [exim] Sieve filters broken due to tainted expansions?

Top Page
Delete this message
Reply to this message
Author: Tobias Klausmann
Date:  
To: exim-users
Subject: Re: [exim] Sieve filters broken due to tainted expansions?
Hi!

On Tue, 07 Jan 2020, Jeremy Harris via Exim-users wrote:
> On 07/01/2020 16:47, Tobias Klausmann via Exim-users wrote:
> > # exim -bt klausman-gentoo@???
> > LOG: MAIN PANIC
> > attempt to expand tainted string '$rheader_From'
> > LOG: MAIN PANIC
> > attempt to expand tainted string '${if def:header_From {true}{false}}'
> > Sieve error: header string expansion failed in line 3
> > klausman-gentoo@??? -> inbox
> > transport = address_file
>
> Raised bug 2506 for this.
> Please say what platform and who built the exim binary.


$ uname -a
Linux skade 5.5.0-rc3 #15 SMP Fri Dec 27 13:10:59 CET 2019 x86_64 Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz GenuineIntel GNU/Linux

Exim was built on the same machine, using Gentoo's portage.


Adress test with -d+all and full config (I've also attached my
exim.conf):

  08:54:49  2563 Exim version 4.93.0.4 uid=1000 gid=1000 pid=2563 D=fff9ffff
  Support for: crypteq iconv() IPv6 PAM Perl TCPwrappers OpenSSL Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PRDR TCP_Fast_Open
  Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch passwd
  Authenticators: cram_md5 cyrus_sasl plaintext spa
  Routers: accept dnslookup ipliteral manualroute queryprogram redirect
  Transports: appendfile/maildir/mailstore autoreply pipe smtp
  Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
  Fixed never_users: 0
  Configure owner: 0:0
  Size of off_t: 8
  Compiler: GCC [9.2.0]
  Library version: Glibc: Compile: 2.30
                          Runtime: 2.30
  Library version: BDB: Compile: Berkeley DB 5.3.28: (September  9, 2013)
                        Runtime: Berkeley DB 5.3.28: (September  9, 2013)
  Library version: OpenSSL: Compile: OpenSSL 1.1.1d  10 Sep 2019
                            Runtime: OpenSSL 1.1.1d  10 Sep 2019
                                   : built on: Tue Dec  3 18:07:39 2019 UTC
  Library version: IDN2: Compile: 2.3.0
                         Runtime: 2.3.0
  Library version: Stringprep: Compile: 1.35
                               Runtime: 1.35
  Library version: Cyrus SASL: Compile: 2.1.27
                               Runtime: 2.1.27 [Cyrus SASL]
  Library version: PCRE: Compile: 8.43
                         Runtime: 8.43 2019-02-23
  08:54:49  2563 Total 11 lookups
  WHITELIST_D_MACROS unset
  TRUSTED_CONFIG_LIST unset
  08:54:49  2563 changed uid/gid: -C, -D, -be or -bf forces real uid
  08:54:49  2563   uid=1000 gid=1000 pid=2563
  08:54:49  2563   auxiliary group list: 10 12 16 35 78 100 110 237 245 249 250 1000
  08:54:49  2563 seeking password data for user "root": cache not available
  08:54:49  2563 getpwnam() succeeded uid=0 gid=0
  08:54:49  2563 tls_validate_require_cipher child 2564 ended: status=0x0
  08:54:49  2563 adding PATH=/sbin:/usr/sbin
  08:54:49  2563 configuration file is exim.conf
  08:54:49  2563 log selectors = 00000ffc 99005032 00000003
  08:54:49  2563 admin user
  08:54:49  2563 dropping to exim gid; retaining priv uid
  08:54:49  2563 changing group to 12 failed: Operation not permitted
  08:54:49  2563 originator: uid=1000 gid=1000 login=klausman name=Tobias Klausmann
  08:54:49  2563 sender address = klausman@???
  08:54:49  2563 Address testing: uid=1000 gid=1000 euid=1000 egid=1000
  08:54:49  2563 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  08:54:49  2563 Testing klausman-gentoo@???
  08:54:49  2563 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  08:54:49  2563 Considering klausman-gentoo@???
  08:54:49  2563 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  08:54:49  2563 routing klausman-gentoo@???
  08:54:49  2563 --------> virtual router <--------
  08:54:49  2563 local_part=klausman-gentoo domain=schwarzvogel.de
  08:54:49  2563 checking domains
  08:54:49  2563 search_open: dsearch "/etc/exim/virtual"
  08:54:49  2563 search_find: file="/etc/exim/virtual"
  08:54:49  2563   key="schwarzvogel.de" partial=-1 affix=NULL starflags=0
  08:54:49  2563 LRU list:
  08:54:49  2563   5/etc/exim/virtual
  08:54:49  2563   End
  08:54:49  2563 internal_search_find: file="/etc/exim/virtual"
  08:54:49  2563   type=dsearch key="schwarzvogel.de"
  08:54:49  2563 file lookup required for schwarzvogel.de
  08:54:49  2563   in /etc/exim/virtual
  08:54:49  2563 lookup failed
  08:54:49  2563 schwarzvogel.de in "dsearch;/etc/exim/virtual"? no (end of list)
  08:54:49  2563 virtual router skipped: domains mismatch
  08:54:49  2563 --------> dnslookup router <--------
  08:54:49  2563 local_part=klausman-gentoo domain=schwarzvogel.de
  08:54:49  2563 checking domains
  08:54:49  2563 schwarzvogel.de in "schwarzvogel.de:skade.schwarzvogel.de:i-no.de"? yes (matched "schwarzvogel.de")
  08:54:49  2563 schwarzvogel.de in "! +local_domains"? no (matched "! +local_domains")
  08:54:49  2563 dnslookup router skipped: domains mismatch
  08:54:49  2563 --------> new_system_aliases router <--------
  08:54:49  2563 local_part=klausman-gentoo domain=schwarzvogel.de
  08:54:49  2563 calling new_system_aliases router
  08:54:49  2563 rda_interpret (string): '${lookup{$local_part}lsearch{/etc/mail/aliases}}'
  08:54:49  2563  ╭considering: ${lookup{$local_part}lsearch{/etc/mail/aliases}}
  08:54:49  2563   ╭considering: $local_part}lsearch{/etc/mail/aliases}}
  08:54:49  2563   ├──expanding: $local_part
  08:54:49  2563   ╰─────result: klausman-gentoo
  08:54:49  2563              ╰──(tainted)
  08:54:49  2563   ╭considering: /etc/mail/aliases}}
  08:54:49  2563   ├──expanding: /etc/mail/aliases
  08:54:49  2563   ╰─────result: /etc/mail/aliases
  08:54:49  2563  search_open: lsearch "/etc/mail/aliases"
  08:54:49  2563  search_find: file="/etc/mail/aliases"
  08:54:49  2563    key="klausman-gentoo" partial=-1 affix=NULL starflags=0
  08:54:49  2563  LRU list:
  08:54:49  2563    7/etc/mail/aliases
  08:54:49  2563    5/etc/exim/virtual
  08:54:49  2563    End
  08:54:49  2563  internal_search_find: file="/etc/mail/aliases"
  08:54:49  2563    type=lsearch key="klausman-gentoo"
  08:54:49  2563  file lookup required for klausman-gentoo
  08:54:49  2563    in /etc/mail/aliases
  08:54:49  2563  lookup failed
  08:54:49  2563  ├──expanding: ${lookup{$local_part}lsearch{/etc/mail/aliases}}
  08:54:49  2563  ╰─────result: 
  08:54:49  2563 expanded: ''
  08:54:49  2563 file is not a filter file
  08:54:49  2563 parse_forward_list: 
  08:54:49  2563 new_system_aliases router declined for klausman-gentoo@???
  08:54:49  2563 --------> userforward router <--------
  08:54:49  2563 local_part=klausman-gentoo domain=schwarzvogel.de
  08:54:49  2563 checking for local user
  08:54:49  2563 seeking password data for user "klausman-gentoo": cache not available
  08:54:49  2563 getpwnam() returned NULL (user not found)
  08:54:49  2563 userforward router skipped: klausman-gentoo is not a local user
  08:54:49  2563 --------> extension_user_verify router <--------
  08:54:49  2563 local_part=klausman-gentoo domain=schwarzvogel.de
  08:54:49  2563 stripped suffix -gentoo
  08:54:49  2563 extension_user_verify router skipped: verify_only set
  08:54:49  2563 --------> extension_user_delivery_f router <--------
  08:54:49  2563 local_part=klausman-gentoo domain=schwarzvogel.de
  08:54:49  2563 stripped suffix -gentoo
  08:54:49  2563 checking require_files
  08:54:49  2563  ╭considering: /home/$local_part/.mail-extensions
  08:54:49  2563  ├──expanding: /home/$local_part/.mail-extensions
  08:54:49  2563  ╰─────result: /home/klausman/.mail-extensions
  08:54:49  2563             ╰──(tainted)
  08:54:49  2563 file check: /home/$local_part/.mail-extensions
  08:54:49  2563 expanded file: /home/klausman/.mail-extensions
  08:54:49  2563 stat() yielded 0
  08:54:49  2563  ╭considering: /home/$local_part/.forward
  08:54:49  2563  ├──expanding: /home/$local_part/.forward
  08:54:49  2563  ╰─────result: /home/klausman/.forward
  08:54:49  2563             ╰──(tainted)
  08:54:49  2563 file check: /home/$local_part/.forward
  08:54:49  2563 expanded file: /home/klausman/.forward
  08:54:49  2563 stat() yielded 0
  08:54:49  2563 checking "condition" "${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}"...
  08:54:49  2563  ╭considering: ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
  08:54:49  2563   ╭considering: $local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
  08:54:49  2563   ├──expanding: $local_part_suffix
  08:54:49  2563   ╰─────result: -gentoo
  08:54:49  2563              ╰──(tainted)
  08:54:49  2563   ╭considering: /home/$local_part/.mail-extensions}{yes}{no}}
  08:54:49  2563   ├──expanding: /home/$local_part/.mail-extensions
  08:54:49  2563   ╰─────result: /home/klausman/.mail-extensions
  08:54:49  2563              ╰──(tainted)
  08:54:49  2563  search_open: lsearch "/home/klausman/.mail-extensions"
  08:54:49  2563  search_find: file="/home/klausman/.mail-extensions"
  08:54:49  2563    key="-gentoo" partial=-1 affix=NULL starflags=0
  08:54:49  2563  LRU list:
  08:54:49  2563    7/home/klausman/.mail-extensions
  08:54:49  2563    7/etc/mail/aliases
  08:54:49  2563    5/etc/exim/virtual
  08:54:49  2563    End
  08:54:49  2563  internal_search_find: file="/home/klausman/.mail-extensions"
  08:54:49  2563    type=lsearch key="-gentoo"
  08:54:49  2563  file lookup required for -gentoo
  08:54:49  2563    in /home/klausman/.mail-extensions
  08:54:49  2563  lookup yielded: # Gentoo
  08:54:49  2563   ╭considering: yes}{no}}
  08:54:49  2563   ├──expanding: yes
  08:54:49  2563   ╰─────result: yes
  08:54:49  2563   ╭───scanning: no}}
  08:54:49  2563   ├──expanding: no
  08:54:49  2563   ├─────result: no
  08:54:49  2563   ╰───skipping: result is not used
  08:54:49  2563  ├──expanding: ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
  08:54:49  2563  ╰─────result: yes
  08:54:49  2563 calling extension_user_delivery_f router
  08:54:49  2563  ╭considering: $local_part
  08:54:49  2563  ├──expanding: $local_part
  08:54:49  2563  ╰─────result: klausman
  08:54:49  2563             ╰──(tainted)
  08:54:49  2563 seeking password data for user "klausman": cache not available
  08:54:49  2563 getpwnam() succeeded uid=1000 gid=1000
  08:54:49  2563 rda_interpret (file): '/home/$local_part/.forward'
  08:54:49  2563  ╭considering: /home/$local_part/.forward
  08:54:49  2563  ├──expanding: /home/$local_part/.forward
  08:54:49  2563  ╰─────result: /home/klausman/.forward
  08:54:49  2563             ╰──(tainted)
  08:54:49  2563 expanded: '/home/klausman/.forward'
  08:54:49  2563 search_tidyup called
  08:54:49  2565 changed uid/gid: extension_user_delivery_f router (recipient is klausman-gentoo@???)
  08:54:49  2565   uid=1000 gid=1000 pid=2565
  08:54:49  2565   auxiliary group list: 10 12 16 35 78 100 110 237 245 249 250 1000
  08:54:49  2565 turned off address rewrite logging (not root or exim in this process)
  08:54:49  2565 7892 bytes read from /home/klausman/.forward
  08:54:49  2565 data is a Sieve filter program
  08:54:49  2565 Sieve: start of processing
  08:54:49  2565  ╭considering: $rheader_From
  08:54:49  2565 LOG: MAIN PANIC
  08:54:49  2565   attempt to expand tainted string '$rheader_From'
  08:54:49  2565  ├failed to expand: $rheader_From
  08:54:49  2565  ╰───error message: attempt to expand tainted string '$rheader_From'
  08:54:49  2565  ╭considering: ${if def:header_From {true}{false}}
  08:54:49  2565 LOG: MAIN PANIC
  08:54:49  2565   attempt to expand tainted string '${if def:header_From {true}{false}}'
  08:54:49  2565  ├failed to expand: ${if def:header_From {true}{false}}
  08:54:49  2565  ╰───error message: attempt to expand tainted string '${if def:header_From {true}{false}}'
  08:54:49  2565 fileinto `inbox'
  08:54:49  2565 Sieve error: header string expansion failed in line 6
  08:54:49  2565 Sieve: end of processing
  08:54:49  2565 search_tidyup called
  08:54:49  2563 rda_interpret: subprocess yield=0 error=NULL
  08:54:49  2563 set transport address_file
  08:54:49  2563 extension_user_delivery_f router generated inbox
  08:54:49  2563   pipe, file, or autoreply
  08:54:49  2563   errors_to=NULL transport=address_file
  08:54:49  2563   uid=1000 gid=1000 home=NULL
  08:54:49  2563 routed by extension_user_delivery_f router
  08:54:49  2563   envelope to: klausman-gentoo@???
  08:54:49  2563   transport: <none>
  08:54:49  2563 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  08:54:49  2563 Considering inbox
  08:54:49  2563 search_tidyup called
  08:54:49  2563 >>>>>>>>>>>>>>>> Exim pid=2563 (main) terminating with rc=0 >>>>>>>>>>>>>>>>
  klausman-gentoo@??? -> inbox
    transport = address_file



Best,
Tobias

keep_environment =
add_environment = <; PATH=/sbin:/usr/sbin
primary_hostname = mail.schwarzvogel.de
chunking_advertise_hosts =
domainlist local_domains = schwarzvogel.de:skade.schwarzvogel.de:i-no.de
hostlist relay_from_hosts = <; 127.0.0.1/8 ; ::1
log_selector = +delivery_size +subject +smtp_confirmation
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_helo = acl_check_helo
qualify_domain = schwarzvogel.de
never_users = root
queue_list_requires_admin = false
host_lookup = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 0s
timeout_frozen_after = 7d
smtp_banner = $smtp_active_hostname

tls_advertise_hosts = *
tls_certificate = /etc/letsencrypt/live/mail.schwarzvogel.de/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/mail.schwarzvogel.de/privkey.pem

begin acl

acl_check_helo:
    accept
        condition = ${if match {$sender_fullhost}{127.0.0.1} {yes}{no}}


    deny message = Invalid HELO. You're spam or a virus, or your sysadmin is an idiot.
        log_message = HELO/EHLO domain without dot.
        condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}


    accept


acl_check_rcpt:

accept hosts = :

  deny    local_parts   = ^.*[@%!/|] : ^\\.


  deny      recipients = lsearch;/etc/exim/never_users


  accept  local_parts   = postmaster
          domains       = +local_domains


  require verify        = sender


  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient


  accept  domains       = +relay_to_domains
        verify        = recipient/callout=15s/callout_defer_ok
          endpass
          message       = unrouteable address
          verify        = recipient


  accept  hosts         = +relay_from_hosts


  deny    message       = relay not permitted


accept

begin routers

virtual:
      driver = redirect
      domains = dsearch;/etc/exim/virtual
      data = ${lookup{$local_part}lsearch*{/etc/exim/virtual/$domain}}
      no_more


dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

new_system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/mail/aliases}}
file_transport = address_file
pipe_transport = address_pipe

userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
require_files = $home/.forward
allow_filter
allow_fail
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

extension_user_verify:
driver = accept
local_part_suffix = -*
require_files = /home/$local_part/.mail-extensions
verify_only
condition = ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}

extension_user_delivery_f:
driver = redirect
local_part_suffix = -*
require_files = /home/$local_part/.mail-extensions:/home/$local_part/.forward
condition = ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
user=$local_part
check_ancestor
file = /home/$local_part/.forward
allow_filter
allow_fail
verify=false
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

extension_user_delivery:
driver = accept
local_part_suffix = -*
require_files = /home/$local_part/.mail-extensions
condition = ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
user=$local_part
verify=false
transport = local_delivery

localuser:
driver = accept
check_local_user
transport = local_delivery

begin transports

remote_smtp:
driver = smtp

procmail_pipe:
driver = pipe
command = /usr/bin/procmail -d $local_part
return_path_add
delivery_date_add
envelope_to_add
check_string = "From "
escape_string = ">From "
user = $local_part
group = mail

local_delivery:
driver = appendfile
directory = /home/$local_part/Mail/inbox/
delivery_date_add
envelope_to_add
return_path_add
mode = 0660
maildir_format
user = $local_part
group = mail

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
directory = /home/$local_part/Mail/$address_file
maildir_format = true
user = $local_part
group = mail
maildir_tag = ,S=$message_size
quota_size_regex = S=(\d+)
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

begin retry

*                      *           F,2h,5m; G,16h,1h,1.5; F,4d,6h