Re: [exim] Database lookup tainted

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Mexim.org at <-
Mexim.org at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Database lookup tainted
On 02/06/2020 12:12, exim.org--- via Exim-users wrote:
> However after updating to 4.94 I only get errors like this (private details replaced):
>
> 2:19:39.350 12159 ╭considering: ${lookup pgsql {servers=127.0.0.1/mydb/mydbuser/mydbpw; SELECT
> string_agg(DISTINCT userid,',') AS target FROM aliases WHERE
> address='${quote_pgsql:$local_part@$domain}';}}
> 12:19:39.351 12159 ╭considering: servers=127.0.0.1/mydb/mydbuser/mydbpw; SELECT string_agg(DISTINCT
> userid,',') AS target FROM aliases WHERE address='${quote_pgsql:$local_part@$domain}';}}
> 12:19:39.351 12159 ╭considering: $local_part@$domain}';}}
> 12:19:39.351 12159 ├──expanding: $local_part@$domain
> 12:19:39.351 12159 ╰─────result: myuser@???
> 12:19:39.351 12159 ╰──(tainted)

You don't say in what fashion it is not working. The taint in that
position is not an error.

>
> What do I have to change to make this work again?
> What is the reason it says tainted?

The content (of both) of the variables being expanded came from a
source we cannot trust, it being a potential attacker. For this
reason it is tagged as "tainted".
--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim 4.94 PAM SMTP auth - TaintRe: [exim] Exim 4.94 PAM SMTP auth - Taint->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)