Hi all;
Firstly, just to note that I understand the purpose of tainting data, and appreciate any improvements to security within Exim.
That said, I was already aware of the potential for bad variable data being exposed to the server, and was removing non-alphanumeric characters from $local_part (or, at least, attempting to) with the expansion ${sg{$local_part}{\N[^A-Za-z0-9_.-]\N}{_}}. However, this still appears to fail in my transports.
Is ${sg} not a suitable expansion to de-taint $local_part or $domain? If not, that massively screws with the long-term archival that I am required to do with my Exim mail server (which I appreciate may not have the same use-case as a normal mail server).
Regex replacement as de-taint operation is the typical approach in Perl (where they also apply a tainting principle), so I would have reasonably expected it to be the same here.
If not, I am desperately in need of an alternative for the following two transports, where I need to be able to store *any* received mail (not handled by earlier routers/transports) in a browsable directory structure, and so don't have valid lookups that I can do:
-----------------
BADFILECHARS = \N[^A-Za-z0-9_.-]\N
local_unhandled:
driver = appendfile
create_directory = yes
directory = /var/spool/exim/unhandled/\
${sg{$domain}{BADFILECHARS}{_}}/\
${sg{$local_part}{BADFILECHARS}{_}}/\
$tod_logfile
user = exim
group = mail
mode = 0660
### end local_unhandled
local_delivery:
driver = appendfile
file = ${if or{{bool{$acl_m_localdiscard}} \
{bool{${lookup{$local_part} \
lsearch{/etc/passwd} \
{no} \
{yes}}}}} \
{/dev/null} \
{/var/spool/mail/${sg{$local_part}{BADFILECHARS}{_}}}}
user = ${if or{{bool{$acl_m_localdiscard}} \
{eqi {$local_part}{root}} \
{bool{${lookup{$local_part} \
lsearch{/etc/passwd} \
{no} \
{yes}}}}} \
{mail} \
{$local_part}}
group = mail
mode = 0620
delivery_date_add
envelope_to_add
return_path_add
notify_comsat
### end local_delivery
-----------------
I've been avoiding check_local_user (since it tries to chdir into home directories that the exim user has no access to), so I don't think I have access to $local_part_data (as nothing populates it).
I would dearly love to avoid downgrading to 4.93, off the back of this change.
Regards.
J.
-----------------
~# exim -bV
Exim version 4.94 #2 built 01-Jun-2020 19:51:21
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL Content_Scanning DANE DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR PROXY SOCKS SPF DMARC TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sqlite
Authenticators: cram_md5 cyrus_sasl dovecot gsasl plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /etc/exim/exim.conf
~# yum list installed | grep exim
exim.x86_64 4.94-1.el7 @epel
