[exim] Exim 4.94: "Tainted filename for search: 'select'"

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Felix Schwarz
Ημερομηνία:  
Προς: Exim-users
Αντικείμενο: [exim] Exim 4.94: "Tainted filename for search: 'select'"
Hey,

(sorry for starting a new thread - I was not subscribed previously so I could
not reply in the old thread).

After upgrading to 4.94 I got the ominous error message:
Tainted filename for search: 'select'

As far as I understood "sqlite_dbfile" should solve the problem for me but it
does not.

This is likely the important part of my configuration

sqlite_dbfile = /path/to/user.db

domainlist local_domains = sqlite;select DISTINCT domain from users where
domain='${quote_sqlite:$domain}' and is_enabled=1;


...
acl_check_rcpt:

...
require domains = +local_domains :

          message = relay not permitted



Still exim 4.94 complains:

SMTP<< rcpt TO:<foo@???>

using ACL "acl_check_rcpt"

processing "require" (…)

message: relay not permitted

check domains = +local_domains :

╭considering: sqlite;select DISTINCT domain from users where
domain='${quote_sqlite:$domain}' and is_enabled=1;

╭considering: $domain}' and is_enabled=1;

├──expanding: $domain

╰─────result: site.example

             ╰──(tainted)


├──expanding: sqlite;select DISTINCT domain from users where
domain='${quote_sqlite:$domain}' and is_enabled=1;

╰─────result: sqlite;select DISTINCT domain from users where
domain='site.example' and is_enabled=1;

            ╰──(tainted)


LOG: MAIN PANIC

Tainted filename for search: 'select'



I assumed that "quote_sqlite" would untain the $domain value but it does not?
How can I retrieve the

Felix