Re: [exim] de-tainting

Pàgina inicial
Delete this message
Reply to this message
Autor: Evgeniy Berdnikov
Data:  
A: exim-users
Assumpte: Re: [exim] de-tainting
On Thu, Jun 25, 2020 at 04:29:21PM +0100, Jeremy Harris via Exim-users wrote:
> You had "xxample.ru:" as your matching line. Key, and zero-length
> data.


Well. After reading docs several times and a series of experiments
with ACLs I came to the following conclusions:

 1. Variable $domain_data is set when condition "domains = ..." is satisfied,
    regardless of presense/absense of lookups. Particulary, condition
    "domains = $domain" is always valid in RCPT ACL and set $domain_data.


 2. Variable $domain_data is tainted if right side of "domains = ..."
    ACL condition is tainted.


These contradicts to documentation

| $domain_data is also set when the domains condition in an ACL matches
| a domain by means of a lookup. The data read by the lookup is available
| during the rest of the ACL statement. In all other situations,
| this variable expands to nothing.


at least in statement "In all other situations, this variable expands
to nothing", because it may be filled if no lookup is done.

Moreover, if right side of "domains = ..." is a string expansion which
combines lookup data with other data, then $domain_data may be different
from lookup data.

Below is testcase.
--------------------------------------------------------------------------
ACL
test_domain_data:

 warn
    logwrite    = before test domain=\"$domain\" domain_data=\"$domain_data\"
    domains     = $domain
    logwrite    = after test domain=\"$domain\" domain_data=\"$domain_data\"
    condition   = ${if !eq{${lookup {$domain_data} lsearch \
              {/etc/exim4/cust.d/$domain_data}}}{}}


debug output:

>>>  check logwrite = before test domain=\"$domain\" domain_data=\"$domain_data\"
>>>                = before test domain="xxample.ru" domain_data=""

LOG: 459 [323342] before test domain="xxample.ru" domain_data=""
>>>  check domains = $domain
>>> xxample.ru in "xxample.ru"? yes (matched "xxample.ru")
>>>  check logwrite = after test domain=\"$domain\" domain_data=\"$domain_data\"
>>>                = after test domain="xxample.ru" domain_data="xxample.ru"

LOG: 459 [323342] after test domain="xxample.ru" domain_data="xxample.ru"
LOG: 459 [323342] Tainted filename for search: '/etc/exim4/cust.d/xxample.ru'
>>> warn: condition test error in ACL "test_domain_data"

--------------------------------------------------------------------------
Test was run on Debian, package exim4-daemon-light 4.94-4 for amd64.

This testcase also shows that $domain_data is NOT always untainted.

In my opinion, documentation for $domain_data and $local_part_data
is misleading. It leads to illusion that those variables are filled
on lookup and are bound to lookup data, but they are filled on
condition match and are bound to condition expression.

PS. All written here is for ACL, I did not test routers and trasports yet.
--
Eugene Berdnikov