Re: [exim] [exim-dev] [Bug 2636] usage of local_part in vir…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Madmin at <-
MMelvin - Melv.nl at ->
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: m, exim-users
Subject: Re: [exim] [exim-dev] [Bug 2636] usage of local_part in virtual_localdelivery results in tainted

Transferred from exim-dev to exim-users

> https://bugs.exim.org/show_bug.cgi?id=2636
>
> --- Comment #8 from Tony Feestneus <m@???> ---
> Will try there then, although I fear everyone will point at each other in this
> issue. Hope you can think about a solution or quick fix maybe?

If I understand correctly we are talking about this transport:

#COMMENT#57:
virtual_localdelivery:
driver = appendfile
create_directory
delivery_date_add
directory_mode = 770
envelope_to_add
directory = "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}}lsearch{/etc/passwd}{$value}}}}/imap/${domain_data}/${local_part_data}/Maildir"
maildir_format
group = mail
mode = 660
return_path_add
user = "${lookup{$domain_data}lsearch*{/etc/virtual/domainowners}{$value}}"
quota = ${if exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain_data}/quota}{$value}{0}}}{0}}
.include_if_exists /etc/exim/virtual_localdelivery.conf.post

-------------------------

I'm not an expert on this stuff, but ...
the directory line has ${local_part_data} so that variable should
be available in the quota line.
I *guess* that changing that line to
quota = ${if exists{/etc/virtual/${domain}/quota}{${lookup{$local_part_data}lsearch*{/etc/virtual/${domain_data}/quota}{$value}{0}}}{0}}
( sed -e /quota/s/local_part/local_part_data/ )
should solve this particular taint.

In the exim doc, Chapter 9.Expansion variables read about $local_part and $local_part_data
https://exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#SECTexpansionitems 

  Warning: the content of this variable is usually provided by a
  potential attacker. Consider carefully the implications of using it
  unvalidated as a name for file access. This presents issues for
  usersâ?? .forward and filter files.
         ...          ...
  For virtual users, store a suitable pathname component in the database
  which is used for account name validation, and use that retrieved
  value rather than this variable. Often $local_part_data is usable in
  this role. If needed, use a router address_data or set option for the
  retrieved data.




-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Broken client... HELO and AUTH...Re: [exim] DANE ERROR: TLSA LOOKUP DEFER->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)