Re: [exim] Tainted filename for search in Exim 4.94-1

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Patrick Porteous
Data:  
Para: Exim-users
Asunto: Re: [exim] Tainted filename for search in Exim 4.94-1
On 2020-06-19 17:28, Jeremy Harris wrote:
> On 19/06/2020 17:33, Patrick Porteous via Exim-users wrote:
> > I'm having the same problem as Vladislav Georgiev after upgrading from
> > 4.93.3 to 4.94-1.  After applying the update, I receive the following
> > error when trying to send from any of my domains.  Is this a bug or is
> > this something I need to change in my config file for the new version?
>
> > 2020-06-19 07:54:17 H=mail.example.com ([192.168.1.###])

[##.###.###.##]
> > sender verify defer for <sender@???>: failed to expand
> >

"${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/domains/$domain/aliases}}}}":
> > NULL
>
> It is something you need to change in your configuration.
>
> You are using an unsafe construction for the
> file in which you are doing an lsearch.
>
> Consider that the domain, the result of expanding $domain,
> is fully under the control of a potential attacker.
> It could, for example, contain the letter sequence "../".
> --
> Cheers,
> Jeremy
>


Jeremy,

You mention that I am using an unsafe construction for the file in which
I am doing an lsearch.  I am assuming that you are saying that if an
attacker includes "../" in the $domain expansion that it would allow
them to potentially change the directory of the lsearch?   So if that is
the case, can you provide an example of how to safely construct the
file? I need to do a single key lookup on a file using a condition
statement in the correct de-tainted method?  Prior to the upgrade from
4.9.3 to 4.9.4, I could use the following in my routers to lookup values
from a file for conditional comparison:

  condition =
${lookup{$local_part}lsearch{/etc/exim/domains/$domain/users}{true}{false}}

I need to be able to look up the key in the "users" file and then
retrieve various values from the file.  In 4.9.4, is there still a means
to accomplish this with user supplied submission?  I understand that I
don't want an attacker to search unwanted directories on my system but
if I'm using virtual users, how do correctly supply their local_part
submission for validation against a file.

Thanks for the clarification.

Patrick