Re: [exim] [4.94.2] "tainted string" in paniclog in somewhat…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] [4.94.2] "tainted string" in paniclog in somewhat weird circumstance
Please wrap your lines at a traditional length.

On 07/07/2021 15:31, Michal Soltys via Exim-users wrote:
> warn
>         log_message     = Header syntax invalid [$acl_verify_message], message will be fakerejected
>         !verify         = header_syntax
>         control         = fakereject/The message will be delivered, but it violates RFCs [$acl_verify_message]. Please fix it.
>
> When we get a message that fails header check, we get exim complaining in paniclog about tainted string (tls connection is also prematurely terminated in such case judging from e.g. msmtp's output, although the mail gets delivered) - removing $acl_verify_message fixes this - but why would this string be considered tainted ?


Because it contains data supplied by a potential attacker.
The issue is why it is being expanded.

> 2021-07-07 11:38:32.836 1m140m-0001YT-6t Tainted string 'The message will be delivered, but it violates RFCs [malformed address: '>\n may not follow "'mail@???'" <'mail@???: failing address in "To:" header is: "'mail@???'" <'mail@???'>]. Please fix it.' in expansion


This is the "response message" part of the fakereject control. It's being expanded once,
correctly, to give the string we see in that paniclog line. The complaint is that we're
trying to expand it again. I'm failing to find in the code where that might happen,
unfortunately.

--
Cheers,
Jeremy