Re: [exim] Tainted arg 2 for mailman_transport transport com…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Kirill Miazine
Date:  
À: Jeremy Harris via Exim-users
Sujet: Re: [exim] Tainted arg 2 for mailman_transport transport command
• Jeremy Harris via Exim-users [2022-07-20 15:54]:
> On 20/07/2022 15:37, Kirill Miazine via Exim-users wrote:
> > IIRC Mailman has some facility to generate aliases file, which Exim
> > could be using. Mailman is able to generate those automatically, and
> > that should make the taint checking happy, as there won't be any unsafe
> > variables left.
>
> Getting a file out of Mailman to verify recipient names against would be ideal.
> You want also to use a static list of possible affixes, rather than a wildcard.


Again, if my memory serves me right, Mailman may generates an alias file in the form of:

list:        command-without-variables
list-owner:  command-without-variables
list-bounce: command-without-variables
list-foo:    command-without-variables


So it will include both list name and all applicable suffixes.

> Handling initial signups for a list, where you don't have a known name
> to verify, seems like it could be an issue.


There shouldn't be any issues with this one, should there?

list-bounce+*: command-without-variables

> Still, do a proper job on all the possible other cases first, to
> reduce the attack surface, *before* resorting to deliberately
> subverting Exim's attempts to provide security.
>
> These attempts are not perfect; there are ways of evading them. But do
> not forget the log4j fracas.
>
> > Looking
> > athttps://bazaar.launchpad.net/~mailman-coders/mailman/2.1/files/head:/Mailman/MTA
> > it seems you'd have to say that your MTA is Postfix.
>
> :-(


That would be ironic: descripe a setup for Exim and specify MTA to be
Postfix.