Re: [exim] Tainted filename for search

Góra strony
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
Dla: exim-users
Temat: Re: [exim] Tainted filename for search
On 06/06/2020 19:29, Jeremy Harris via Exim-users wrote:
> On 05/06/2020 20:02, Laura Williamson via Exim-users wrote:
>>   dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select
>> selector from dkimcerts where domain='$sender_address_domain'}{$value}}
>
> As I told Max, one of:
>
> - use the sqlite_dbfile main option
> - use separate tables within one sqlite db rather than multiple db files
> - ensure your sqlite lookup strings do not contain tainted data
> (look in the Concept Index for de-tainting methods)
> - move to a different db type
> - wait for the next release
>


To which I'll now add:

- If you are building from git, or from source that you can patch,
pick up https://git.exim.org/exim.git/commit/b8514d1960e259d49ab2c84c89eba52ab993da3f

--
Cheers,
Jeremy