[exim-dev] [Bug 2737] New: $mime_filename considered as Tain…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: admin
Dátum:  
Címzett: exim-dev
Tárgy: [exim-dev] [Bug 2737] New: $mime_filename considered as Tainted
https://bugs.exim.org/show_bug.cgi?id=2737

            Bug ID: 2737
           Summary: $mime_filename considered as Tainted
           Product: Exim
           Version: 4.94
          Hardware: All
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: warren@???
                CC: exim-dev@???


As per the documentation
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html#SECTscanmimepart
the option 'decode = $mime_filename' can be used however within the MIME ACL.
This now fails due to the filename being tainted.

Here is a quick test with an attachment using the below mime ACL:

acl_check_mime:

        warn
          decode = $mime_filename
          logwrite = :main: DEBUG: Filename $mime_filename


        accept



10:59:27 10347 using ACL "acl_check_mime"
10:59:27 10347 processing "warn"
(/home/warren/exim/exim-4.94.2/src/configure.default 642)
10:59:27 10347  ╭considering: $mime_filename
10:59:27 10347  ├──expanding: $mime_filename
10:59:27 10347  ╰─────result: myspreadsheet.xlsx
10:59:27 10347             ╰──(tainted)
10:59:27 10347 check decode = $mime_filename
10:59:27 10347              = myspreadsheet.xlsx
10:59:27 10347 LOG: MAIN PANIC
10:59:27 10347   Tainted filename
'/var/spool/exim/scan/1leZql-0002gt-L3/myspreadsheet.xlsx'
10:59:27 10347 warn: condition test deferred in ACL "acl_check_mime"



Using 'decode = default' solves the issue and the documentation also does
mention "However, you should keep in mind that $mime_filename might contain
anything.". So not sure how this should be dealt with. I can only see 2
options:

1. Remove the ability to use decode = $mime_filename or
2. Remove the taint check on $mime_filename and warn the OP that this is
dangerous (this is probably not a good idea)


Is there an alternative approach?

--
You are receiving this mail because:
You are on the CC list for the bug.