Re: [exim] Tainting & rewrite rules

Góra strony
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
Dla: Evgeniy Berdnikov
CC: exim-users
Temat: Re: [exim] Tainting & rewrite rules
On Mon, 13 Jan 2020, Evgeniy Berdnikov via Exim-users wrote:

> Hello.
>
> I have a rewrite rule for one client:
>
> *@XXX.msk.ru        ${lookup{$0}wildlsearch{/path/to/maps/XXX.msk.ru.map}{$value}{

                 ${sg{$local_part}{_}{.}}@???}} Fcbtrf

>
> After upgrade to 4.93 I found that mails from XXX.msk.ru are rejected
> with "421 Unexpected failure", and panic.log contains records like
>
> 2020-01-13 14:55:25.279 [115431] 1iqyJZ-000U1n-8z Taint mismatch, Ustrncpy: rewrite_one_header 611
>
> 2020-01-13 14:58:45.412 [116160] 1iqyMn-000UDY-DI Taint mismatch, Ustrncpy: rewrite_one_header 611
>
> 2020-01-13 15:21:26.775 [118739] 1iqyik-000Ut9-Oz Taint mismatch, Ustrncpy: rewrite_one_header 611
>
> It's clear that reason is the presence of $local_part on the right side.
> However, there are no file operations on the right side, so I'd expect
> this operation is safe and should be permitted in this context.
> Is it correct or not?
>
> If it's not a bug, how arbitrary address substitutions can be done
> in similar cases? Should we use some external script?


What happens if you replace $local_part with $1, ie:
*@XXX.msk.ru        ${lookup{$0}wildlsearch{/path/to/maps/XXX.msk.ru.map}{$value}{${sg{$1}{_}{.}}@???}} Fcbtrf
?


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???