Re: [exim] Should the taint checks apply to arguments?

Pàgina inicial
Delete this message
Reply to this message
Autor: Sebastian
Data:  
A: 'Mailing List'
Assumpte: Re: [exim] Should the taint checks apply to arguments?
Yes, because you could escape out of the argument, think if local part contains like "something &&
echo /etc/passwd".
Then whats executed is:
|/home/exim/scripts/my_script something && echo /etc/password

Fetching in the argument via environment variable is safe (as long as you in the script doesn't use
it for something dangerous, but that’s not exim's fault), since then you cannot use the variable to
escape out of the shell.

-----Ursprungligt meddelande-----
Från: Richard Gilbert via Exim-users <exim-users@???>
Skickat: den 1 juni 2021 12:53
Till: Exim users list <exim-users@???>
Ämne: [exim] Should the taint checks apply to arguments?

I understand why it is dangerous to use tainted data in constructing
filenames so I can no longer run a command containing the local_part,
e.g.

data = |/home/exim/scripts/$local_part

I see that it is also an error to use, e.g.

data = |/home/exim/scripts/my_script $local_part

In this case the script is fixed and the tainted data is being used as
an argument. Is that still dangerous? The script can pick up the
local_part from the LOCAL_PART environment variable.

Richard
--
Richard Gilbert
IT Services
University of Sheffield, Sheffield, S10 2FN, UK
Phone: +44 114 222 3028

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/