Re: [exim] exim-4.96rc0 Tainted arg

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MOdhiambo Washington at <-
MMJeremy Harris at ->
Delete this message
Reply to this message
Author: Odhiambo Washington
Date:  
To: Jeremy Harris
CC: exim users
Subject: Re: [exim] exim-4.96rc0 Tainted arg
On Sun, May 1, 2022 at 12:46 PM Jeremy Harris via Exim-users <
exim-users@???> wrote: 

> On 01/05/2022 09:55, Odhiambo Washington via Exim-users wrote:
> > dovecot_virtual_delivery:
> >    driver = pipe
> >    return_output
> >    command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
> -f
> > $sender_address
> >    message_prefix =

>
> > How do I need to de-taint the arg 2?
>
> The same way as you de-taint local_part and domain for other uses,
> as has been discussed here many time and is documented.
>
> There are multiple ways and which one is best depends on your situation.
>
>
> Once you've done that, you'll run into arg 4 also being tainted;
> drop the "-f $sender_address" from the command line and remove
> the
>     message_prefix =
> option setting.  The default for message_prefix is an mbox "From "
> line, and Dovecot should take the sender from that.

>
> (I am assuming that "dovecot/deliver" is the same as the
> "dovecot/dovecot_lda"
> documented by the dovecot project).
>

Sanity check!

In my router, I have the following query: 

address_data      = ${lookup mysql{ \
                      select smtp, username, users.sa_tag*10 AS sa_tag,
users.on_spamassassin AS on_spamassassin, \
                      domains.spamassassin AS spamassassin, \
                      users.uid AS uid, users.gid AS gid, users.quota AS
quota from users,domains \
                      where localpart = '${quote_mysql:$local_part}' \
                      and domain = '${quote_mysql:$domain}' \
                      and domains.enabled = '1' \
                      and users.enabled = '1' \
                      and users.domain_id = domains.domain_id}{$value}fail}


And I have modified my transport to:

dovecot_virtual_delivery:
driver = pipe
return_output
command = /usr/local/libexec/dovecot/deliver -d
${extract{username}{$address_data}}
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

And deliveries seem to be working without any errors,

Question is whether I am creating a security loophole by doing the above.




--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Callout defer (was: Taint checking and exim 4.96rc0)Re: [exim] exim-4.96rc0 Tainted arg->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)