On Fri, 6 May 2022, Michael Haardt via Exim-users wrote:
> Odhiambo Washington via Exim-users <exim-users@???> wrote:
>
>> I must admit I have zero clue how to detaint this:
>>
>> LOG: MAIN
>> ** mailman@??? <mailman-bounces+moses=
>> XXXXXX.org@???> R=mailman_router T=mailman_transport:
>> Tainted arg 1 for mailman_transport transport command: 'bounces'
>>
>> mailman_router:
>> driver = accept
>
> Guessing, insert this here:
>
> local_parts = ${lookup {$local_part} dsearch {MAILMAN_HOME/lists}}
>
> That should set $local_part_data and then you use that where you used
> $local_part before in require_files and in the transport.
>
> I don't understand why require_files did not trigger the check, though,
> but using the tainted variable $local_part there will be a problem.
As I understand, "require_files" detaints,
since a secure file-system is a database of trust.
--
Andrew C. Aitchison Kendal, UK
andrew@???
