On 22/12/2021 15:41, Michael Haardt via Exim-users wrote:
> I agree I never thought about this when taint-tracking was introduced,
> but the current state is a serious security problem to me, and one I
> somehow expected to be solved by taint-tracking.
>
>> Yes, for the ldap lookup here, quoting should be done.
[...]
> Right now tainted data can be exploited in query style lookups, which
> is surprising if you believe taint-tracking protects you from that. I
> have no satisfying solution to that, unfortunately.
The quoting of tainted data is now tracked, and checked immediately
before doing a query-style lookup. Currently, violations are only
log-noisy (but this will likely be upgraded to full refusal in a later
release of Exim than the next one).
This was introduced by commit 4191cb150300d in the main development
branch. It has not yet hit a release version of Exim. Interested
parties are encouraged to build from source and try it.
[ It found several non-quoted lookups in my own operational system! ]
Untainted data, such as that from the config file(s) or from local files,
is not tracked or checked. You are still expected to know what you are
doing for those cases (but they are not remote attacks).
Only the most-recent quoting operator applied is remembered, as there
is no certainty that an overlain quote method still applies. I doubt
that such cases are in common use.
--
Cheers,
Jeremy
