Re: [exim] De-taint data

On 10/26/20 12:22 PM, Jeremy Harris via Exim-users wrote:
> On 26/10/2020 09:53, Gregory Edigarov via Exim-users wrote:
>> Having this in config, exim-4.94
>>
>> local_copy_incoming:
>>    driver = appendfile
>>    directory = /var/vmail/backup/$domain/$local_part/incoming
>
> Most of this info is in the documentation.
>
> You need to deliberately check that those variable
> values, which have been supplied by a potential
> attacker, are actually valid on your system.  This has to
> be done in a way that Exim knows a validated version
> of the data that you can use in that "directory" option.
>
> If the local_part is a real user on the system then
> the "check_local_user" option on the router selecting
> this transport is the simplest way for this component.
> A success for that check fills in $local_part_data
> with an untainted version of $local_part.
>
> For virtual users (not existing in the password file),
> and for domains, you have to do deliberate lookups
> in other local sources of data.  You might, for example,
> have a Postgres DB with your list of locally-serviced
> domains.  Commonly your router will be checking for these
> domains using a "domains" condition.  If this condition
> uses a lookup then it will populate $domain_data
> with an untainted result from the lookup.  Likewise, the
> "local_parts" option can populate $local_part_data from
> a lookup result.

Well, in my use case, this local_copy_incoming transport
is chained to virtual_delivery transport, via the

virtual_delivery:
  driver = appendfile
  envelope_to_add
  return_path_add
  mode = 0600
  maildir_format = true
  create_directory = true
  directory = ${extract{smtp}{$address_data}}
  user = mail
#${extract{uid}{$address_data}}
  group = mail
#${extract{gid}{$address_data}}
  quota = ${extract{quota}{$address_data}{${value}M}}
  quota_is_inclusive = false
  #quota_size_regex = ,S=(\d+):
  quota_warn_threshold = 75%
  maildir_use_size_file = false
  quota_warn_message = "To: $local_part@$domain\n\
                        Subject: Mailbox quota warning\n\n\
                        This message was automatically generated by the
mail delivery software.\n\n\
                        You are now using over 75% of your allocated
mail storage quota.\n\n\
                        If your mailbox fills completely, further
incoming messages will be automatically\n\
                        returned to their senders.\n\n\
                        Please take note of this and remove unwanted
mail from your mailbox.\n"
  shadow_transport = local_copy_incoming



which resolves from this router:

virtual_domains:
  driver = redirect
  domains = +local_domains
  address_data = ${lookup mysql{\
        select smtp, users.sa_tag*10 AS sa_tag, users.on_spamassassin
AND domains.spamassassin AS on_spamassassin, \
        users.uid AS uid, users.gid AS gid, quota \
        from users,domains \
        where localpart = '${quote_mysql:$local_part}' \
                and domain = '${quote_mysql:$domain}' \
                and domains.enabled = '1' \
                and users.enabled = '1' \
                and users.domain_id = domains.domain_id}{$value}fail}
  allow_fail
  data = ${extract{smtp}{$address_data}}
  headers_add = ${if and { \
                    {match{$domain}{$original_domain}} \
                    {match{$local_part}{$original_local_part}} \
{>={$spam_score_int}{${extract{sa_tag}{$address_data}}}} \
{eq{1}{${extract{on_spamassassin}{$address_data}}}} \
                    } {X-Spam-Flag: YES\nX-Spam-Score:
$acl_m_spam_score\nX-Spam-Report: $acl_m_spam_report}{} }
    local_part_suffix = +*
    local_part_suffix_optional
  retry_use_local_part
  file_transport = virtual_delivery
  reply_transport = address_reply
  pipe_transport = address_pipe

this router and virtual_delivery transport work just ok.

So the question is how to correctly connect shadow transport to this
processing in case of 4.94?


Thank you