[exim] De-tainting with ${sg} expansion

Top Page
Delete this message
Reply to this message
Author: Jamie Barnes
Date:  
To: Exim-users
Subject: [exim] De-tainting with ${sg} expansion
Hi all;

Firstly, just to note that I understand the purpose of tainting data, and appreciate any improvements to security within Exim.

That said, I was already aware of the potential for bad variable data being exposed to the server, and was removing non-alphanumeric characters from $local_part (or, at least, attempting to) with the expansion ${sg{$local_part}{\N[^A-Za-z0-9_.-]\N}{_}}. However, this still appears to fail in my transports.

Is ${sg} not a suitable expansion to de-taint $local_part or $domain? If not, that massively screws with the long-term archival that I am required to do with my Exim mail server (which I appreciate may not have the same use-case as a normal mail server).

Regex replacement as de-taint operation is the typical approach in Perl (where they also apply a tainting principle), so I would have reasonably expected it to be the same here.

If not, I am desperately in need of an alternative for the following two transports, where I need to be able to store *any* received mail (not handled by earlier routers/transports) in a browsable directory structure, and so don't have valid lookups that I can do:

-----------------
BADFILECHARS                    = \N[^A-Za-z0-9_.-]\N


local_unhandled:
  driver                        = appendfile
  create_directory              = yes
  directory                     = /var/spool/exim/unhandled/\
                                  ${sg{$domain}{BADFILECHARS}{_}}/\
                                  ${sg{$local_part}{BADFILECHARS}{_}}/\
                                  $tod_logfile
  user                          = exim
  group                         = mail
  mode                          = 0660
### end local_unhandled


local_delivery:
  driver                        = appendfile
  file                          = ${if or{{bool{$acl_m_localdiscard}}           \
                                          {bool{${lookup{$local_part}           \
                                                        lsearch{/etc/passwd}    \
                                                        {no}                    \
                                                        {yes}}}}}               \
                                       {/dev/null}                              \
                                       {/var/spool/mail/${sg{$local_part}{BADFILECHARS}{_}}}}
  user                          = ${if or{{bool{$acl_m_localdiscard}}           \
                                          {eqi {$local_part}{root}}             \
                                          {bool{${lookup{$local_part}           \
                                                         lsearch{/etc/passwd}   \
                                                         {no}                   \
                                                         {yes}}}}}              \
                                       {mail}                                   \
                                       {$local_part}}
  group                         = mail
  mode                          = 0620
  delivery_date_add
  envelope_to_add
  return_path_add
  notify_comsat
### end local_delivery
-----------------


I've been avoiding check_local_user (since it tries to chdir into home directories that the exim user has no access to), so I don't think I have access to $local_part_data (as nothing populates it).

I would dearly love to avoid downgrading to 4.93, off the back of this change.

Regards.
J.
-----------------
~# exim -bV
Exim version 4.94 #2 built 01-Jun-2020 19:51:21
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL Content_Scanning DANE DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR PROXY SOCKS SPF DMARC TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sqlite
Authenticators: cram_md5 cyrus_sasl dovecot gsasl plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /etc/exim/exim.conf

~# yum list installed | grep exim
exim.x86_64                         4.94-1.el7                         @epel