Re: [exim-dev] servers expansion

Top Page
Delete this message
Reply to this message
Author: Jasen Betts
Date:  
To: exim-dev
Subject: Re: [exim-dev] servers expansion
On 2021-06-12, Andrew C Aitchison via Exim-dev <exim-dev@???> wrote:
> On Sat, 12 Jun 2021, Jasen Betts via Exim-dev wrote:
>
>>
>> I'm wanting to be able to use expansion variables in the servers=
>> parameter of query-style lookups.
>>
>> I can use variables if I put servers= inside the query, but if
>> servers= is used there I can't use tainted variables in the query.
>>
>> I crawled around looking at the source code trying to
>> backtrace to the caller code and finally came up with this patch:
>>
>> --- a/build/exim/src/lookups/lf_sqlperform.c
>> +++ b/build/exim/src/lookups/lf_sqlperform.c
>> @@ -129,7 +129,7 @@ else
>>     uschar * ele;
>>     for (int sep = ','; ele = string_nextinlist(&opts, &sep, NULL, 0); )
>>       if (Ustrncmp(ele, "servers=", 8) == 0)
>> -       { serverlist = ele + 8; break; }
>> +       { serverlist = expand_string( ele + 8 ); break; }
>>     }

>>
>> if (!serverlist)
>> ---
>>
>> This seems to work for simple variables which is enough for me. Full
>> brace expansion does not work (I think the parser gets confused).
>>
>> As I understand it this is not going to cause a memory leak.
>>
>> a few lines down from this serverlist is checked to be taint-free so
>> this feels safe to me.
>
> Isn't the idea to check a string is taint-free *before* expanding it ?


If the expansion being done is a safe expansion then the taintness is
preserved and the checking is deferred until a dangerous expansion is
encountered. (this is AIUI done by some sort of pointer magic)

Variable substitution is taint-preserving so if tainted data
is used in the servers parameter it will be rejected by the test.
(because servers is rightly considered dangerous)

--
Jasen.