Re: [exim] Tainted PATH (file or directory name for maildir…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Tainted PATH (file or directory name for maildir_spam_delivery transport) not permitted
On 29/11/2020 15:07, Adam Major via Exim-users wrote:
> mysql_localuser:
>     driver = accept

          # This gives you $domain_data

>     domains = +local_domains
>     condition = ${if eq{}{${lookup mysql {SELECT mail_user FROM mail_box WHERE \
>         mail_domain='${quote_mysql:$domain}' AND mail_user='${quote_mysql:$local_part}'}}}{no}{yes}}
>     transport = mysql_delivery
>     no_more
>

... but where's your $local_part_data coming from?
>
>
>
> One on transport is:
> mysql_delivery:
>     driver = appendfile

           # You're using tainted data here

>     directory=/var/mail/virtual/${domain}/${local_part}/

...
           # you're doing a second DB transaction here; would be nice to
           # only have to do one

>     quota = ${lookup mysql{SELECT quota FROM mail_box WHERE mail_domain='${quote_mysql:$domain}' \
>              AND mail_user='${quote_mysql:$local_part}'}{$value}{5}}M



DELIVERY_LOOKUP = ${lookup mysql {SELECT mail_user, mail_domain, quota FROM mail_box \
            WHERE mail_domain='${quote_mysql:$domain}' AND mail_user='${quote_mysql:$local_part'}}


mysql_localuser:
     driver =      accept
     domains =     ${extract {mail_domain}{DELIVERY_LOOKUP}}
     local_parts = ${extract {mail_user}{DELIVERY_LOOKUP}}
     transport =   mysql_delivery
     # only needed if not last router
     more =        no
...


mysql_delivery:
   driver =    appendfile
   directory =    /var/mail/virtual/${domain_data}/${local_part_data}/
   quota =    ${extract {quota}{DELIVERY_LOOKUP}}




The lookup result is cached, and re-used because the lookup is the same in all three places.

--
Cheers,
Jeremy