Re: [exim] Tainted arg 2 for mailman_transport transport com…

Top Pagina
Delete this message
Reply to this message
Auteur: Andrew C Aitchison
Datum:  
Aan: Exim users list
CC: Thomas Krichel
Onderwerp: Re: [exim] Tainted arg 2 for mailman_transport transport command

Argh. Still wrong.
Is
     ${sg{sg{$MM_LISTCHK}{\/config.pck$}{}}{.*\/}{}}
a better replacement for $local_part ?


On Wed, 20 Jul 2022, Andrew C Aitchison wrote:

> On Wed, 20 Jul 2022, Andrew C Aitchison via Exim-users wrote:
>
>> On Wed, 20 Jul 2022, Thomas Krichel via Exim-users wrote:
>>> root@darni /etc/exim4 # cat ./conf.d/transport/14_exim4-config_mailman
>>> mailman_transport:
>>>  driver  = pipe
>>>  command = MM_WRAP \
>>>          '${if def:local_part_suffix \
>>>                {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
>>>                {post}}' \
>>>          $local_part
>>>  current_directory = MM_HOME
>>>  home_directory    = MM_HOME
>>>  user              = MM_UID
>>>  group             = MM_GID

     ...        ...        ...

>>> What more to check?
>>
>> You have checked everything, but you need to use an untainted
>> value in command. Based on
>>  echo /var/lib/mailman/lists/nep-technicians/config.pck |\
>>      sed -e 's/\/config.pck\$//' -e 's/\/.*\///g'config.pck
>> (the order of the replacements matters)
>> could you try replacing your transport with:

>>
>> mailman_transport:
>>  driver  = pipe
>>  command = MM_WRAP \
>>          '${if def:local_part_suffix \
>>                {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
>>                {post}}' \
>>          ${sg{sg{$local_part}{\/config.pck$}{}}{.*\/}{}}
>>  current_directory = MM_HOME
>>  home_directory    = MM_HOME
>>  user              = MM_UID
>>  group             = MM_GID

>>
>> ?
>> I don't have an exim config system with MM_LISTCHK
>> and I have never tested the sg function in an exim config before,
>> so this is unlikely to be exactly right.
>
> I was right that this was wrong :-(
> Please try
>    ${sg{sg{$}{\/config.pck$}{MM_LISTCHK}}{.*\/}{}}
> instead.


-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???