Re: [exim] Tainted filename for search in Exim 4.94-1

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] Tainted filename for search in Exim 4.94-1
On 24/06/2020 21:10, Patrick Porteous via Exim-users wrote:
> I need to do a single key lookup on a file using a condition
> statement in the correct de-tainted method?


That is simplest (though any lookup would do; the point is to only
use the tainted data for lookup keys).

>  Prior to the upgrade from
> 4.9.3 to 4.9.4, I could use the following in my routers to lookup values
> from a file for conditional comparison:
>
>   condition =
> ${lookup{$local_part}lsearch{/etc/exim/domains/$domain/users}{true}{false}}


The "condition" option is conveniently evaluated after the "domain"
option, on a router (cf.
http://exim.org/exim-html-current/doc/html/spec_html/ch-how_exim_receives_and_delivers_mail.html#SECTrouprecon
)

So, assuming that your filesystem has the full set of directories
by domain name, in /etc/exim/domains/ , you can do on the same router

domains = ${lookup {$domain} dsearch {/etc/exim/domains/}}

This will do two things:
- enforce that the router only runs for a valid domain, as defined by
your filesystem content
- set $domain_data to a de-tainted value which you can use in
constructing the filename for a later lookup.

Actually, since the "domains" option takes a domain-list argument,
we might as well use a list-syntax lookup (where the key is implicit:

domains = dsearch;/etc/exim/domains/

As a slight tweak, use an option like so

domains = dsearch,ret=full;/etc/exim/domains/
condition = ${lookup {$local_part} lsearch {$domain_data} {true}{false}}

to save a minor amount of verbiage. And then, since the lookup data
result from the lsearch is irrelevant (only the success matters) in
your code above - use a "local_parts" option rather than a "condition":

domains =     dsearch,ret=full;/etc/exim/domains/
local_parts = lsearch;$domain_data




I didn't follow quite what you needed with:
> I need to be able to look up the key in the "users" file and then retrieve
> various values from the file. In 4.9.4, is there still a means to accomplish> this with user supplied submission?


If you're saying you do need the data result of the lsearch, then after
the lsearch
done by a "local_parts" router option it is present in $local_part_data.
--
Cheers,
Jeremy