Re: [exim] Sieve filters broken due to tainted expansions?

Top Page
Delete this message
Reply to this message
Author: Chris Siebenmann
Date:  
To: Jeremy Harris
CC: exim-users, cks
Subject: Re: [exim] Sieve filters broken due to tainted expansions?
> > What's the suggested way to do that for virtual domains, that is many
> > mailboxes that all belong to the same local user, and which are not
> > obtained through a lookup, but through the filesystem itself?
>
> The result of a lookup is untainted, and will likely remain so
> (even if the key for the lookup is tainted, eg. $local_part).
> So whatever you're doing now should still work, so long as you
> don't name the DB for the lookup using tainted data.


Is there a way of un-tainting things from $local_part? We have a
long-standing little feature where we implement per-address settings
for things like blocklists using databases read from directories named
after the local addresses, more or less:

    UBDIR = CFDIR/${lc:$local_part}


    deny
        domains = +local_domains
        senders = ${if exists {UBDIR/senders} {UBDIR/senders}}
        message = mail from ...


We have not yet updated to a version of Exim that uses tainting and so
I don't know if this usage will be immediately affected, but it seems
that this is now being considered questionable in at least this form.

(We already check and sanitize $local_part, so this is safe in our
usage. People do not get to create valid local addresses with eg '/../'
in them, and if they did manage it somehow, explicit address content
checks would reject them earlier. Also, these per-user files must be
updated by root, so we consider their contents safe.)

    - cks