Re: [exim] Taint checking and exim 4.96rc0

Top Page
Delete this message
Reply to this message
Author: Kirill Miazine
Date:  
To: exim-users
Subject: Re: [exim] Taint checking and exim 4.96rc0
• Heiko Schlittermann via Exim-users [2022-04-29 21:07]:
[...]
> The "allow_insecure_tainted_data" was introduced to ease the migration
> from 4.94 to 4.95, giving you/us a timeframe to upgrade existing
> configurations to be taintproof.
>
> Before upgrading to 4.96 you should have a taintproof (secure)
> configuration. The deprecation of "allow_insecure_tainted_data" was
> announced with the advent of this option already.
>
> Which point did I miss? Do we have *new* taintchecks that break
> configurations that were considered secure with 4.95?


I had a setup which didn't use allow_insecure_tainted_data, but I was
hit by

JH/25 Taint-check exec arguments for transport-initiated external processes.
      Previously, tainted values could be used. This affects "pipe", "lmtp" and
      "queryprogram" transport, transport-filter, and ETRN commands.
      The ${run} expansion is also affected: in "preexpand" mode no part of
      the command line may be tainted, in default mode the executable name
      may not be tainted.


I welcome taint checking facilities, but I'm afraid that the
introduction of taint checking for exec arguments will cause lots of
broken configurations. Even the Exim spec has (had) examples which would
be broken by the change. When shell is not used, the only reason for
tain checking argument would be to protect the command being called in
case it's not prepared to deal with malicious arguments.

When using Perl's taint checking facilities (-T) some 20 years ago,
I remember I spent quite a while reading perlsec(1). Memories from that
time helped me when trying to understand taint checking in Exim. The
Exim documentation is still not very detailed about the concept. I'm not
ready to write anything, as I haven't gained enough understanding myself
yet.

I'd welcome some generic way to untaint data. E.g. Perl would allow to
subpatterns from regular expression match to untaint parts of data. For
local parts and domains there's kind of a way, but for local part
affixes or sender addresses, I couldn't find a way.

>     Best regards from Dresden/Germany
>     Viele Grüße aus Dresden
>     Heiko Schlittermann
> --
>  SCHLITTERMANN.de ---------------------------- internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --------------- key ID: F69376CE -


-- 
    -- Kirill Miazine <km@???>