Re: [exim] 4.96 simplegreylist taint

Pàgina inicial
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
A: jacob dahl pind
CC: exim-users
Assumpte: Re: [exim] 4.96 simplegreylist taint
On Thu, 4 Aug 2022, jacob dahl pind via Exim-users wrote:

> using the example at https://github.com/Exim/exim/wiki/SimpleGreylisting
>
> with 4.96 the following line throws an error
>
> set acl_m_dontcare = ${lookup sqlite {INSERT INTO greylist \VALUES (
> '$acl_m_greyident', \
> '${eval10:$tod_epoch+300}', \
> '$sender_host_address', \
> '${quote_sqlite:$sender_helo_name}' );}}
>
>
>
> 2022-08-04 15:03:17 tainted search query is not properly quoted (ACL
> warn, /etc/exim/configure_496 622): INSERT INTO greylist VALUES (
> 'gFhKiD0bZ8K21WkyYuCq', '1659618497',
> '209.85.166.69', 'mail-io1-f69.google.com' )
>
> but what is not being quoted right in that line ?


Earlier in that page acl_m_greyident is defined as:
# Generate a hashed 'identity' for the mail, as described above.
warn set acl_m_greyident = ${hash{20}{62}{$sender_address$recipients$h_message-id:}}
I don't know whether hash untaints ... but as I read the spec,
if $sender_address$recipients$h_message-id: is less than 20 characters
the hash returns this string, which should still be tainted.
Other hash functions (md5, sha1, sha256 etc) which appear never to return
the original string, and thus *may* not be tainted, are available.

> Thought the only change was this
>
> JH/21 Remove the "allow_insecure_tainted_data" main config option and
> the "taint" log_selector. These were previously deprecated.
>
> but given I have not been using that , is there some other change I am
> not aware of ?


New stuff we've added since 4.95:
     ...        ...
   - Query-style lookups are now checked for quoting, if the query string is
     built using untrusted data ("tainted").  For now lack of quoting is
     merely logged; a future release will upgrade this to an error.
     ...        ...


-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???