https://bugs.exim.org/show_bug.cgi?id=2546
Bug ID: 2546
Summary: query with server specified won't work well with
tainted query args
Product: Exim
Version: 4.93
Hardware: All
OS: All
Status: NEW
Severity: wishlist
Priority: medium
Component: Lookups
Assignee: unallocated@???
Reporter: jgh146exb@???
CC: exim-dev@???
If any tainted variables are used in building the query string, the whole
string
becomes tainted. We'd like to enforce the use of taint-free specification of
the
DB server. This became an issue with sqlite lookups, where the equivalent of
the
DB server spec was the sqlite data file; it was only specifiable as part of the
query string. The solution was to add a main-option for the sqlite db file, as
is
done for the other DB types for their server specs.
That doesn't cover the case where access to an alternate server is wanted for a
particular query. We need a way of specifying the server (or file) separate
from
the query string.
The existing looks like:
${lookup pgsql{servers=master/db/name/pw; UPDATE ...} }
Possible solution: an option appended to the query-type, eg:
${lookup pgsql,servers=<list> {SELECT field FROM table WHERE id =
'$tainted_var'}}
<list> would be similar to
Choice of the separator for the option is an issue; would prefer to avoid
anything used in possible <list>s. It's a colon-sep list, and items might have
slashes, at least.
--
You are receiving this mail because:
You are on the CC list for the bug.
