Autor: Jeremy Harris Datum: To: exim-users Betreff: Re: [exim] De-taint data
On 26/10/2020 09:53, Gregory Edigarov via Exim-users wrote: > Having this in config, exim-4.94
>
> local_copy_incoming:
> driver = appendfile
> directory = /var/vmail/backup/$domain/$local_part/incoming
Most of this info is in the documentation.
You need to deliberately check that those variable
values, which have been supplied by a potential
attacker, are actually valid on your system. This has to
be done in a way that Exim knows a validated version
of the data that you can use in that "directory" option.
If the local_part is a real user on the system then
the "check_local_user" option on the router selecting
this transport is the simplest way for this component.
A success for that check fills in $local_part_data
with an untainted version of $local_part.
For virtual users (not existing in the password file),
and for domains, you have to do deliberate lookups
in other local sources of data. You might, for example,
have a Postgres DB with your list of locally-serviced
domains. Commonly your router will be checking for these
domains using a "domains" condition. If this condition
uses a lookup then it will populate $domain_data
with an untainted result from the lookup. Likewise, the
"local_parts" option can populate $local_part_data from
a lookup result.
--
Cheers,
Jeremy