Re: [exim] Taint mismatch in exim 4.93.0.4

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Heiko Schlichting
Data:  
Para: exim-users
Asunto: Re: [exim] Taint mismatch in exim 4.93.0.4
I wrote a few days ago:
> after upgrading to exim 4.93.0.4 it complains about
>
>     2020-02-24 11:08:47 1j6AfP-002SAT-9R Taint mismatch, string_vformat: spam 404

>
> in SMTP DATA ACL. The config looks like this:
>
>     deny     message     = This message was classified as SPAM
>              spam        = nobody/defer_ok


It was completely my mistake and caused by a local modification which
I have done many years ago and forgot about but rebased on it.

Our spam scanning solution (cyren eXpurgate) makes use of the sender
address, therefore spam.c was patched to provide it using SPAMC version 1.3:

--- a/src/src/spam.c
+++ b/src/src/spam.c
@@ -398,9 +398,10 @@ else
   {                            /* spamassassin variant */
   (void)string_format(spamd_buffer,
          sizeof(spamd_buffer),
-         "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n",
+          "REPORT SPAMC/1.3\r\nUser: %s\r\nContent-length: %ld\r\nSender: %s\r\n\r\n",
          user_name,
-         mbox_size);
+         mbox_size,
+          sender_address);
   /* send our request */
   wrote = send(spamd_cctx.sock, spamd_buffer, Ustrlen(spamd_buffer), 0);
   }


But sender_address is tainted which is correct. Please ignore my previous
mails.

I'm really sorry for the confusion.

Regards,
Heiko

Heiko Schlichting                Freie Universität Berlin
heiko.schlichting@???   Zentraleinrichtung für Datenverarbeitung
Telefon +49 30 838-54327         Fabeckstraße 32
Telefax +49 30 838454327         14195 Berlin