Re: [exim] Sieve filters broken due to tainted expansions?

Top Page
Delete this message
Reply to this message
Author: Tobias Klausmann
Date:  
To: exim-users
Subject: Re: [exim] Sieve filters broken due to tainted expansions?
Hi!

On Wed, 08 Jan 2020, Andrew C Aitchison via Exim-users wrote:
> I see from your latest message that
>      /home/$local_part/... is tainted.
> Would using $home - and check_local_user to set it - do what you need ?


Indeed that seems to work. I change the earlier config thus:

  $ diff -Naur exim-old.conf exim.conf 
  --- exim-old.conf       2020-01-08 10:02:17.450333630 +0100
  +++ exim.conf   2020-01-08 10:01:33.290288221 +0100
  @@ -103,18 +103,20 @@
   extension_user_verify:
     driver = accept
     local_part_suffix = -*
  -  require_files = /home/$local_part/.mail-extensions
  +  require_files = $home/.mail-extensions
     verify_only
  -  condition = ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
  +  check_local_user
  +  condition = ${lookup{$local_part_suffix}lsearch{$home/.mail-extensions}{yes}{no}}


   extension_user_delivery_f:
     driver = redirect
  +  check_local_user
     local_part_suffix = -*
  -  require_files =  /home/$local_part/.mail-extensions:/home/$local_part/.forward
  -  condition = ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
  +  require_files =  $home/.mail-extensions:$home/.forward
  +  condition = ${lookup{$local_part_suffix}lsearch{$home/.mail-extensions}{yes}{no}}
     user=$local_part
     check_ancestor
  -  file = /home/$local_part/.forward
  +  file = $home/.forward
     allow_filter
     allow_fail
     verify=false
  @@ -125,8 +127,9 @@
   extension_user_delivery:
     driver = accept
     local_part_suffix = -*
  -  require_files =  /home/$local_part/.mail-extensions
  -  condition = ${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
  +  check_local_user
  +  require_files =  $home/.mail-extensions
  +  condition = ${lookup{$local_part_suffix}lsearch{$home/.mail-extensions}{yes}{no}}
     user=$local_part
     verify=false
     transport = local_delivery


And this seems to work. I'll test it for a bit and report back.

Is the use of $local_part in the transports seen as safe, or
should I cange those to use $home as well?

Best,
Tobias

-- 
Sent from aboard the Culture ship
    GSV Use Psychology