[exim-dev] [Bug 2546] New: query with server specified won't…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2546] New: query with server specified won't work well with tainted query args
https://bugs.exim.org/show_bug.cgi?id=2546

            Bug ID: 2546
           Summary: query with server specified won't work well with
                    tainted query args
           Product: Exim
           Version: 4.93
          Hardware: All
                OS: All
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: Lookups
          Assignee: unallocated@???
          Reporter: jgh146exb@???
                CC: exim-dev@???


If any tainted variables are used in building the query string, the whole
string
becomes tainted. We'd like to enforce the use of taint-free specification of
the
DB server. This became an issue with sqlite lookups, where the equivalent of
the
DB server spec was the sqlite data file; it was only specifiable as part of the
query string. The solution was to add a main-option for the sqlite db file, as
is
done for the other DB types for their server specs.

That doesn't cover the case where access to an alternate server is wanted for a
particular query. We need a way of specifying the server (or file) separate
from
the query string.

The existing looks like:
${lookup pgsql{servers=master/db/name/pw; UPDATE ...} }


Possible solution: an option appended to the query-type, eg:

${lookup pgsql,servers=<list> {SELECT field FROM table WHERE id =
'$tainted_var'}}

<list> would be similar to
Choice of the separator for the option is an issue; would prefer to avoid
anything used in possible <list>s. It's a colon-sep list, and items might have
slashes, at least.

--
You are receiving this mail because:
You are on the CC list for the bug.