Re: [exim] exim-4.96RC0 - broken Mailman (2.x)

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: Michael Haardt
CC: Odhiambo Washington via Exim-users
Subject: Re: [exim] exim-4.96RC0 - broken Mailman (2.x)
On Fri, 6 May 2022, Michael Haardt via Exim-users wrote:

> Odhiambo Washington via Exim-users <exim-users@???> wrote:
>
>> I must admit I have zero clue how to detaint this:
>>
>> LOG: MAIN
>> ** mailman@??? <mailman-bounces+moses=
>> XXXXXX.org@???> R=mailman_router T=mailman_transport:
>> Tainted arg 1 for mailman_transport transport command: 'bounces'
>>
>> mailman_router:
>>   driver                     = accept

>
> Guessing, insert this here:
>
> local_parts = ${lookup {$local_part} dsearch {MAILMAN_HOME/lists}}
>
> That should set $local_part_data and then you use that where you used
> $local_part before in require_files and in the transport.
>
> I don't understand why require_files did not trigger the check, though,
> but using the tainted variable $local_part there will be a problem.


As I understand, "require_files" detaints,
since a secure file-system is a database of trust.

-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???