Re: [exim] Database lookup tainted

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jeremy Harris
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Database lookup tainted
On 02/06/2020 12:12, exim.org--- via Exim-users wrote:
> However after updating to 4.94 I only get errors like this (private details replaced):
>
> 2:19:39.350 12159 ╭considering: ${lookup pgsql {servers=127.0.0.1/mydb/mydbuser/mydbpw; SELECT
> string_agg(DISTINCT userid,',') AS target FROM aliases WHERE
> address='${quote_pgsql:$local_part@$domain}';}}
> 12:19:39.351 12159 ╭considering: servers=127.0.0.1/mydb/mydbuser/mydbpw; SELECT string_agg(DISTINCT
> userid,',') AS target FROM aliases WHERE address='${quote_pgsql:$local_part@$domain}';}}
> 12:19:39.351 12159 ╭considering: $local_part@$domain}';}}
> 12:19:39.351 12159 ├──expanding: $local_part@$domain
> 12:19:39.351 12159 ╰─────result: myuser@???
> 12:19:39.351 12159 ╰──(tainted)


You don't say in what fashion it is not working. The taint in that
position is not an error.

>
> What do I have to change to make this work again?
> What is the reason it says tainted?


The content (of both) of the variables being expanded came from a
source we cannot trust, it being a potential attacker. For this
reason it is tagged as "tainted".
--
Cheers,
Jeremy