Author: Felix Schwarz Date: To: exim-users Subject: Re: [exim] Exim 4.94: "Tainted filename for search: 'select'"
Am 19.06.20 um 14:27 schrieb Jeremy Harris via Exim-users: > On 18/06/2020 13:20, Felix Schwarz via Exim-users wrote:
>> sqlite_dbfile = /path/to/user.db
>>
>> domainlist local_domains = sqlite;select DISTINCT domain from users where
>> domain='${quote_sqlite:$domain}' and is_enabled=1;
>
> Two problems.
>
> - the <lookup-type> <semicolon> <file> syntax only applies for
> single-key lookup types. sqlite is a query-style.
> - that probably leads into the tainting problem, so I'll ignore that
Thank you - I was not aware of that distinction so I learned something new.
I modified the config to retrieve the list of domains from sqlite like this:
domainlist local_domains = \
${lookup sqlite{ SELECT DISTINCT domain || ':' FROM users WHERE is_enabled=1; }}
Do you see an obvious problem with that?
I was a bit surprised that Exim seems to concatenate multiple result values to
a single string (containing \n?) but it seems that I can add the list
separator ":" manually.
Also my exim config is now more secure than before due to all the taint
warnings. However it would be less stressful for me if there was at least one
release which just raised some warnings about tainting values (or a flag to
convert taint errors into warnings) to ease the migration.
Exim 4.94 was pushed to EPEL 7 stable without any announcement and I suspect
that explains the influx of questions about tainting on this mailing list. I
was caught by surprise as one of my SMTP servers stopped working after it
applied the update automatically...
