[exim] Tainting & rewrite rules

Top Page
Delete this message
Reply to this message
Author: Evgeniy Berdnikov
Date:  
To: exim-users
Subject: [exim] Tainting & rewrite rules
Hello.

I have a rewrite rule for one client:

*@XXX.msk.ru        ${lookup{$0}wildlsearch{/path/to/maps/XXX.msk.ru.map}{$value}{${sg{$local_part}{_}{.}}@???}} Fcbtrf


After upgrade to 4.93 I found that mails from XXX.msk.ru are rejected
with "421 Unexpected failure", and panic.log contains records like

2020-01-13 14:55:25.279 [115431] 1iqyJZ-000U1n-8z Taint mismatch, Ustrncpy: rewrite_one_header 611

2020-01-13 14:58:45.412 [116160] 1iqyMn-000UDY-DI Taint mismatch, Ustrncpy: rewrite_one_header 611

2020-01-13 15:21:26.775 [118739] 1iqyik-000Ut9-Oz Taint mismatch, Ustrncpy: rewrite_one_header 611

It's clear that reason is the presence of $local_part on the right side.
However, there are no file operations on the right side, so I'd expect
this operation is safe and should be permitted in this context.
Is it correct or not?

If it's not a bug, how arbitrary address substitutions can be done
in similar cases? Should we use some external script?
--
Eugene Berdnikov