Author: Michael Haardt Date: To: Jeremy Harris via Exim-users Subject: Re: [exim] Taint checker confusing error (blaming file but caused
by later ldap lookup)
Jeremy Harris via Exim-users <exim-users@???> wrote: > On 22/12/2021 07:33, Christian Balzer via Exim-users wrote:
> > LOCALDOM = /etc/exim4/localdomains
> > domainlist local_domains = @:localhost:LOCALDOM:ldap;ldap::///ou=mail,dc=do,dc=main?mailDomain?sub?mailDomain=$domain
>
> Doh. Ignore my previous question; I'd misread.
>
> This issue here is that the use of $domain in that string,
> which happens to be a domain list, is tainting the entire string.
> That includes the LOCALDOM element, after its macro-expansion,
> so when that gets used as a filename, you trap.
>
> I'm not sure what you can do about this. How many places
> is this local_domains being used (probably many).
> Could you lose either the fixed file or the ldap?
It's over a decade ago since I dealt with ldap, but shouldn't this be
quoted anyway using quote_ldap? As it is, a malicious $domain could have
unwanted side effects on the query, because the query is parsed after
expanding $domain. The taint check prevents that.
Perhaps quote_ldap should return an untainted string?
