Re: [exim] Taint checker confusing error (blaming file but c…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Taint checker confusing error (blaming file but caused by later ldap lookup)
On 22/12/2021 17:57, Michael Haardt via Exim-users wrote:
>>> Would it be possible to expand all strings when reading the configuration
>>> without causing side effects to check any attempt of using tainted data
>>> at start up?
>>
>> No. Variables are used for data which varies on a finer grain
>> than "exim starting up". For the specific case, $domain varies
>> with individual recipient (even within a given message).
>
> Does Exim do lazy evaluation during string expansion?


It does.

Also, though rarely used, it's not impossible for the
source of a string getting expanded to come from a
runtime-variable place. Exim is that flexible.

> If not,
> dummy values should suffice for the purpose of checking if
> string expansions refer to tainted variables. This would also
> point out the attempt to use non-existant variables and verify
> overall syntax.


> Well, given that reason nobody needed taint checking to begin with. ;-)


You've not been following the log4j mess, obviously.
It's not funny at all.

Taint tracking for Exim was introduced because just such a mistake
was found in the then Exim default config. It was a CVE.
The obvious point fix was done, but I decided it was just too simple
for anybody writing config to make a similar error.

There was actually a previous change made for similar reasons,
a decade back: the right-hand-side of certain expansions was made
no-longer-expanded. It was deemed too easy to write a security hole.
This was an incompatible change, just like the introduction of
taint-tracking.
--
Cheers,
Jeremy