Re: [exim] Help needed with tainting

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] Help needed with tainting
On 02/03/2022 22:37, Alain D D Williams via Exim-users wrote:
> The transport works by running a command of which an argument is extracted (the
> line starting .dir) from a file /etc/exim/file_domains/$local_part


That's a valid case for using dsearch, as you're looking into,
so long as the existence of the file by that name is sufficient
to validate the local_part. Effectively, the filesystem is your
database and you are doing a lookup in it for existence of the key.

> The transport is taint safe if the router de-taints $local_part
>
> I think that I should be using dsearch but the documentation about dsearch does
> not help -- not enough for me to understand it.
>
> My transport & router are below, how should I modify them to do what I want.
>
> Thanks in advance
>
>
> # Look in /etc/exim/file_domains/$local_part for the sender address
> mail_to_url_router:
>    driver = accept
>    domains = +file_domains


add a local_parts= condition here. Being a condition, it means the router
will not run if the condition is false. Use a dsearch.
Your dsearch needs to be looking for "$local_part" (the key) in
"some fixed directory" (the database). If you use a list-lookup syntax
then the key is implicit; for a local_parts= condition it is $local_part.
Also, for a list-lookup syntax, the only primary result is the yes/no
"did the lookup succeed" - unlike a string-expansion syntax lookup you
do not have a free choice in manipulating the result. But the yes/no
is what the local_parts= condition needs.

The useful part for de-tainting is the side-effect of doing a lookup
in a local_parts= condition; it sets $local_part_data. For a plain
dsearch it sets that to the requested key (but as untainted data).

So:
      local_parts = dsearch;/etc/exim/file_domains


>    condition = ${if exists {/etc/exim/file_domains/$local_part}{1}{0}}


that line is now redundant; the local_parts= test did that job.

>    require_files = /etc/exim/file_domains/$local_part


ditto

>    senders = ${if exists {/etc/exim/file_domains/$local_part} {lsearch;/etc/exim/file_domains/$local_part}{*}}


a) and that test...
b) replace $local_part with $local_part_data

>    transport = mail_to_url_transport
>    no_more

>
> mail_to_url_transport:
>    driver = pipe
>    command = /usr/bin/MailToUrl $local_part $sender_address $header_subject ${lookup{.dir}lsearch{/etc/exim/file_domains/$local_part}}


and here too, for the lsearch (the first one can be either)

>    user = mail
>    group = apache
>    return_fail_output = true




You could cut down on verbiage slightly by using a "ret=full" option on the dsearch,
but that's a style choice.

--
Cheers,
Jeremy