On Mon, 13 Jan 2020, Evgeniy Berdnikov via Exim-users wrote:
> Hello.
>
> I have a rewrite rule for one client:
>
> *@XXX.msk.ru ${lookup{$0}wildlsearch{/path/to/maps/XXX.msk.ru.map}{$value}{
${sg{$local_part}{_}{.}}@???}} Fcbtrf
>
> After upgrade to 4.93 I found that mails from XXX.msk.ru are rejected
> with "421 Unexpected failure", and panic.log contains records like
>
> 2020-01-13 14:55:25.279 [115431] 1iqyJZ-000U1n-8z Taint mismatch, Ustrncpy: rewrite_one_header 611
>
> 2020-01-13 14:58:45.412 [116160] 1iqyMn-000UDY-DI Taint mismatch, Ustrncpy: rewrite_one_header 611
>
> 2020-01-13 15:21:26.775 [118739] 1iqyik-000Ut9-Oz Taint mismatch, Ustrncpy: rewrite_one_header 611
>
> It's clear that reason is the presence of $local_part on the right side.
> However, there are no file operations on the right side, so I'd expect
> this operation is safe and should be permitted in this context.
> Is it correct or not?
>
> If it's not a bug, how arbitrary address substitutions can be done
> in similar cases? Should we use some external script?
What happens if you replace $local_part with $1, ie:
*@XXX.msk.ru ${lookup{$0}wildlsearch{/path/to/maps/XXX.msk.ru.map}{$value}{${sg{$1}{_}{.}}@???}} Fcbtrf
?
--
Andrew C. Aitchison Kendal, UK
andrew@???
