Re: [exim] Tainted filename for search

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Jeremy Harris
Fecha:  
A: exim-users
Asunto: Re: [exim] Tainted filename for search
On 06/06/2020 19:29, Jeremy Harris via Exim-users wrote:
> On 05/06/2020 20:02, Laura Williamson via Exim-users wrote:
>>   dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select
>> selector from dkimcerts where domain='$sender_address_domain'}{$value}}
>
> As I told Max, one of:
>
> - use the sqlite_dbfile main option
> - use separate tables within one sqlite db rather than multiple db files
> - ensure your sqlite lookup strings do not contain tainted data
> (look in the Concept Index for de-tainting methods)
> - move to a different db type
> - wait for the next release
>


To which I'll now add:

- If you are building from git, or from source that you can patch,
pick up https://git.exim.org/exim.git/commit/b8514d1960e259d49ab2c84c89eba52ab993da3f

--
Cheers,
Jeremy