The virtual_localdelivery directory part does not use local_parts_data,
just local_parts. And that does not work, also changing it to
local_parts_data does not work either unfortunately...
Met vriendelijke groet,
Melvin
0412 725 745
m@??? |
www.melv.nl
Op alle rechtsverhoudingen tussen Melv en haar opdrachtgevers zijn
onze Algemene
voorwaarden en verwerkersovereenkomst
<
https://www.melv.nl/algemenevoorwaarden.pdf> van toepassing.
Op do 27 aug. 2020 om 18:31 schreef Andrew C Aitchison <
andrew@???>:
>
> Transferred from exim-dev to exim-users
>
> > https://bugs.exim.org/show_bug.cgi?id=2636
> >
> > --- Comment #8 from Tony Feestneus <m@???> ---
> > Will try there then, although I fear everyone will point at each other
> in this
> > issue. Hope you can think about a solution or quick fix maybe?
>
> If I understand correctly we are talking about this transport:
>
> #COMMENT#57:
> virtual_localdelivery:
> driver = appendfile
> create_directory
> delivery_date_add
> directory_mode = 770
> envelope_to_add
> directory =
> "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}}lsearch{/etc/passwd}{$value}}}}/imap/${domain_data}/${local_part_data}/Maildir"
> maildir_format
> group = mail
> mode = 660
> return_path_add
> user =
> "${lookup{$domain_data}lsearch*{/etc/virtual/domainowners}{$value}}"
> quota = ${if
> exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain_data}/quota}{$value}{0}}}{0}}
> .include_if_exists /etc/exim/virtual_localdelivery.conf.post
>
> -------------------------
>
> I'm not an expert on this stuff, but ...
> the directory line has ${local_part_data} so that variable should
> be available in the quota line.
> I *guess* that changing that line to
> quota = ${if
> exists{/etc/virtual/${domain}/quota}{${lookup{$local_part_data}lsearch*{/etc/virtual/${domain_data}/quota}{$value}{0}}}{0}}
> ( sed -e /quota/s/local_part/local_part_data/ )
> should solve this particular taint.
>
> In the exim doc, Chapter 9.Expansion variables read about $local_part and
> $local_part_data
>
> https://exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#SECTexpansionitems
>
> Warning: the content of this variable is usually provided by a
> potential attacker. Consider carefully the implications of using it
> unvalidated as a name for file access. This presents issues for
> usersâ?? .forward and filter files.
> ... ...
> For virtual users, store a suitable pathname component in the database
> which is used for account name validation, and use that retrieved
> value rather than this variable. Often $local_part_data is usable in
> this role. If needed, use a router address_data or set option for the
> retrieved data.
>
>
>
> --
> Andrew C. Aitchison Kendal, UK
> andrew@???
