Re: [exim] Tainted spoolfile?

Etusivu
Poista viesti
Vastaa
Lähettäjä: Andreas Metzler
Päiväys:  
Vastaanottaja: exim-users
Aihe: Re: [exim] Tainted spoolfile?
On 2021-10-26 Dominik Vogt via Exim-users <exim-users@???> wrote:
> After upgrading from Devuan 3 (~= Debian 10) to Devuan-4
> (~=Debian-11), not changing the exim config file the new Exim
> version is 4.94.2.


> Running "sendmail -qf" emits error messages like this one:


> 2021-10-25 23:00:12.776 [7584] 1melHk-0000VC-R0 ==
> FOOBAR@localhost R=local_user T=mail_spool defer (-1) DT=0.004s:
> Tainted '/var/mail/FOOBAR' (file or directory name for mail_spool
> transport) not permitted


> It seems to complain about the file /var/mail/FOOBAR for
> _incoming_ mail. What is the cause of this and how can it be
> fixed?

[...]

Hello,

Assuming Devuan is using the Debian packages you should have seen this
warning from /usr/share/doc/exim4-base/NEWS.Debian.gz on upgrading. If
you have not, please install apt-listchanges, which is Priority:
standard for a good reason.

-------------------------
exim4 (4.94-18) experimental; urgency=medium

Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the
concept of tainted data read from untrusted sources, like e.g. message
sender or recipient. This tainted data (e.g. $local_part or $domain)
cannot be used among other things as a file or directory name or command
name.

This WILL BREAK configurations which are not updated accordingly.
[....]
-------------------------

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'