Re: [exim] tainted filname issue

Pàgina inicial
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
A: exim-users
Assumptes nous: [exim] ...
Assumpte: Re: [exim] tainted filname issue
Dan Egli via Exim-users <exim-users@???> (Mi 05 Mai 2021 02:41:38 CEST):
> I just upgraded to 4.94.2, and most everything is working fine. But I'm
> getting an issue on DKIM signings with tainted filename. I looked over the
> list and tried to apply the same fix I've seen used before, but I guess I'm
> not understanding it. Here's my dkim_private_key statement:
>
>   dkim_private_key   = ${if
> exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
> {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
>
> So how do I correct this? Thanks!


You didn't run 4.94 before, did you?

The $sender_address_domain is considered tainted. Now (since >= 4.94)
Exim refused to use tainted data for filenames. The "exists" doesn't
de-taint the data. You need to perform a kind of lookup first, to
"clean"/"de-taint" the data.


    # determine the domain to be used for signing (use the rfc5322.From
    # or schlittermann.de as a fallback
    dkim_domain = ${lookup{${domain:${address:$h_from:}}}dsearch{$config_dir/dkim}{$value}{schlittermann.de}}
    dkim_selector = ${lookup{$dkim_domain}lsearch{$config_dir/dkim/selector}}


    # use the found signing domain and it's selector to get
    # the private key
    dkim_private_key = $config_dir/dkim/$dkim_domain/$dkim_selector.pem


--
Heiko