Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] Taint checker confusing error (blaming file but caused
by later ldap lookup)
On 22/12/2021 13:48, Michael Haardt via Exim-users wrote: >> LOCALDOM = /etc/exim4/localdomains
>> domainlist d1 = @:localhost:LOCALDOM
>> domainlist d2 = ldap;ldap::///ou=mail,dc=do,dc=main?mailDomain?sub?mailDomain=$domain
>> domainlist local_domains = +d1 : +d2 > Why would that not be tainted? The $domain string "*" would still
> be good for a surprise, so taint checking is really needed here,
> as is quoting.
Unsure which "that" you mean.
Yes, $domain will be tainted. Using it as part of the
conditions in a lookup is still permitted; the taint-tracking
is not intended to stop that (because it is in general a useful
facility). But *that* domainlist, d2, does not also have
a file as a list-element - so the string-expansion of the
definition string (which becomes tainted) does not affect one.
The hope is that the string-expansion phases for the sub-lists
making up local_domains are done lazily. I could go look at
the coding, but I'm also lazy.
Yes, for the ldap lookup here, quoting should be done.
--
Cheers,
Jeremy
