On 2021-04-06 Heiko Schlittermann via Exim-users <exim-users@???> wrote:
[...]
> .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
> allow_insecure_tainted_data = yes
> .endif
Hello,
I just did a test build on the fixes branch, added the
allow_insecure_tainted_data setting and changed the mail_spool
transport:
- file = /var/mail/$local_part_data
+ file = /var/mail/$local_part
Success was limited though. Without the patch the message delivery is
deferred. With the patch the message is frozen for
"allow_insecure_tainted_data = yes" (log file excerpt below).
==> /var/log/exim4/mainlog <==
2021-04-11 08:26:08 1lVTXs-000F7W-0D <= ametzler@??? H=localhost (argenau.bebt.de) [::1] P=esmtp S=476 id=20210411082607.058125@???
2021-04-11 08:26:08 1lVTXs-000F7W-0D failed to read delivery status for ametzler@localhost from delivery subprocess
Debug log:
08:26:08 58128 R: local_user for ametzler@localhost
08:26:08 58128 calling local_user router
08:26:08 58128 local_user router called for ametzler@localhost
08:26:08 58128 domain = localhost
08:26:08 58128 set transport mail_spool
08:26:08 58128 queued for mail_spool transport: local_part = ametzler
08:26:08 58128 domain = localhost
08:26:08 58128 errors_to=NULL
08:26:08 58128 domain_data=localhost local_part_data=ametzler
08:26:08 58128 routed by local_user router
08:26:08 58128 envelope to: ametzler@localhost
08:26:08 58128 transport: mail_spool
08:26:08 58128 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
08:26:08 58128 After routing:
08:26:08 58128 Local deliveries:
08:26:08 58128 ametzler@localhost
08:26:08 58128 Remote deliveries:
08:26:08 58128 Failed addresses:
08:26:08 58128 Deferred addresses:
08:26:08 58128 search_tidyup called
08:26:08 58128 >>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>
08:26:08 58128 --------> ametzler@localhost <--------
08:26:08 58128 locking /var/spool/exim4/db/retry.lockfile
08:26:08 58128 locked /var/spool/exim4/db/retry.lockfile
08:26:08 58128 EXIM_DBOPEN: file </var/spool/exim4/db/retry> dir </var/spool/exim4/db> flags=O_RDONLY
08:26:08 58128 returned from EXIM_DBOPEN: 0x55693f0b8380
08:26:08 58128 opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
08:26:08 58128 dbfn_read: key=T:ametzler@localhost
08:26:08 58128 retry record exists: age=5m11s (max 1w)
08:26:08 58128 time to retry = 9m49s expired = 0
08:26:08 58128 EXIM_DBCLOSE(0x55693f0b8380)
08:26:08 58128 closed hints database and lockfile
08:26:08 58128 search_tidyup called
08:26:08 58128 daemon-accept-delivery forking for delivery-local
08:26:08 58128 daemon-accept-delivery forked for delivery-local: 58130
08:26:08 58130 postfork: delivery-local
08:26:08 58130 changed uid/gid: local delivery to ametzler <ametzler@localhost> transport=mail_spool
08:26:08 58130 uid=1001 gid=8 pid=58130
08:26:08 58130 auxiliary group list: <none>
08:26:08 58130 home=/home/ametzler current=/home/ametzler
08:26:08 58130 set_process_info: 58130 delivering 1lVTXs-000F7W-0D to ametzler using mail_spool
08:26:08 58130 ╭considering: T: appendfile for $local_part@$domain
08:26:08 58130 ├──expanding: T: appendfile for $local_part@$domain
08:26:08 58130 ╰─────result: T: appendfile for ametzler@localhost
08:26:08 58130 ╰──(tainted)
08:26:08 58130 T: appendfile for ametzler@localhost
08:26:08 58130 appendfile transport entered
08:26:08 58130 ╭considering: /var/mail/$local_part
08:26:08 58130 ├──expanding: /var/mail/$local_part
08:26:08 58130 ╰─────result: /var/mail/ametzler
08:26:08 58130 ╰──(tainted)
08:26:08 58130 LOG: MAIN
08:26:08 58130 Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted
2021-04-11 08:26:08 1lVTXs-000F7W-0D Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted
08:26:08 58130 appendfile: mode=660 notify_comsat=0 quota=0 warning=0
08:26:08 58130 file=/var/mail/ametzler format=unix
08:26:08 58130 message_prefix=From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n
08:26:08 58130 message_suffix=\n
08:26:08 58130 maildir_use_size_file=no
08:26:08 58130 locking by lockfile fcntl
08:26:08 58130 lock name: /var/mail/ametzler.lock
08:26:08 58130 hitch name: /var/mail/ametzler.lock.argenau.bebt.de.60729680.0000e312
08:26:08 58130 LOG: MAIN
08:26:08 58130 Warning: Tainted filename '/var/mail/ametzler.lock.argenau.bebt.de.60729680.0000e312'
08:26:08 58128 LOG: MAIN PANIC
08:26:08 58128 failed to read delivery status for ametzler@localhost from delivery subprocess
08:26:08 58128 LOG: MAIN PANIC
08:26:08 58128 appendfile transport process returned non-zero status 0x0100: exit code 1
08:26:08 58128 mail_spool transport returned DEFER for ametzler@localhost
08:26:08 58128 added retry item for T:ametzler@localhost: errno=-1 more_errno=0 flags=0
08:26:08 58128 post-process ametzler@localhost (1)
08:26:08 58128 LOG: MAIN
08:26:08 58128 == ametzler@localhost R=local_user T=mail_spool defer (-1)
BTW the build-log with patch is very noisy:
-------------------
cc -c -g -O2 -ffile-prefix-map=/dev/shm/EXIM4/exim-4.94=. -fstack-protector-strong -Wformat -Werror=format-security -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -Wdate-time -D_FORTIFY_SOURCE=2 -fvisibility=hidden -DCOMPILE_UTILITY -o util-spool_in.o spool_in.c
In file included from exim.h:486,
from spool_in.c:13:
functions.h: In function 'is_tainted2':
functions.h:1098:80: warning: pointer targets in passing argument 6 of 'string_vformat_trc' differ in signedness [-Wpointer-sign]
1098 | msg = string_from_gstring(string_vformat(NULL, SVFMT_TAINT_NOCHK|SVFMT_EXTEND, fmt, ap));
| ^~~
| |
| const uschar * {aka const unsigned char *}
functions.h:550:39: note: in definition of macro 'string_vformat'
550 | STRING_SPRINTF_BUFFER_SIZE, flgs, fmt, ap)
| ^~~
functions.h:552:24: note: expected 'const char *' but argument is of type 'const uschar *' {aka 'const unsigned char *'}
552 | unsigned, unsigned, const char *, va_list);
| ^~~~~~~~~~~~
functions.h: In function 'exim_open2':
functions.h:1119:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1119 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_open':
functions.h:1128:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1128 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_openat':
functions.h:1137:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1137 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h:1136:9: warning: unused variable 'msg' [-Wunused-variable]
1136 | uschar *msg;
| ^~~
functions.h: In function 'exim_openat4':
functions.h:1145:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1145 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_fopen':
functions.h:1154:48: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1154 | if (!is_tainted2(pathname, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname))
| ^~~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
functions.h: In function 'exim_opendir':
functions.h:1163:44: warning: pointer targets in passing argument 3 of 'is_tainted2' differ in signedness [-Wpointer-sign]
1163 | if (!is_tainted2(name, LOG_MAIN|LOG_PANIC, "Tainted dirname '%s'", name))
| ^~~~~~~~~~~~~~~~~~~~~~
| |
| char *
functions.h:1087:54: note: expected 'const uschar *' {aka 'const unsigned char *'} but argument is of type 'char *'
1087 | is_tainted2(const void *p, int lflags, const uschar* fmt, ...)
| ~~~~~~~~~~~~~~^~~
-------------------
cu Andreas
