Re: [exim] de-taint a file string

Página Inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
Para: exim-users
Assunto: Re: [exim] de-taint a file string
On 13/07/2020 12:56, Niels Kobschätzki via Exim-users wrote:
> I am looking through the documentation and the mailing list but I cannot
> find out how to convert this simple acl:
>
>  deny  message = Invalid user
>         domains =
> partial-lsearch;/usr/local/etc/exim/conf/secondary_filter_domains


      # you did a search; $domain_data gets the result


>         local_parts =
> !nwildlsearch;/usr/local/etc/exim/conf/secondary_accounts/$domain
>
> When I just switch to $domain_data I get this error
> failed to open
> /usr/local/etc/exim/conf/secondary_accounts/194.xxx.xxx.xxx for linear
> search: No such file or directory


    So the result was "194.xxx.xxx.xxx", which is rather different
from the equivalent to the $domain that you used to use.


You need to develop a way of both validating the $domain *and* getting
an untainted string for the file for your lookup checking the
local_parts condition...

You are validating $domain currently using a partial-lsearch.
The data isn't currently usable. You could consider whether
that data is actually needed elsewhere (you're not using it here, so
far).
The key in the file isn't usable, if you're employing partial-
facilities. You could consider whether you really need the partial-
matching feature.

You could validate by some other means, eg. the actual existence of
the file you're about to use for the local_parts condition. Hint:
"dsearch" (and ret-full, possibly).

>
> And can someone give me a hint how do I test stuff like this? I know
> there is exim -be, but I have no clue how I could just test if for example:
> recipient = foo@???
> the above lookup will look in
> /usr/local/etc/exim/conf/secondary_accounts/bar.org for “foo”


There's two ways. Well, three.

- For ACL stuff, use the debug facilities and actual test messages.
This can, depending on the test message source (smtp vs. non-)
require running the daemon with debug.
- If you have a message sitting in spool, -bem to set up all the
variables from it.
- Sprinkle printf, errm, logwrite liberally around.
--
Cheers,
Jeremy