Hello Exim users,
I've a problem with Sqlite lookups and tainting. I've composed a
question on Stack Exchange, since it's easier to access than this list
(and I forgot i was already subscribed here long ago!)
https://serverfault.com/questions/1108609/does-exim4s-sqlite-quote-expansion-de-taint-the-expanded-value
Quoting that here:
> I'm upgrading an exim4 installation which has some custom filters, to
> Debian 11. (Specifically, the filters are this
> <https://github.com/wu-lee/exim-disposable-aliases>.)
>
> Since that uses Exim 4.94, I've now run into the new-ish "tainted
> variables"
> <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html>
> feature, which has broken my filter. Checking Exim in debug mode with
> |exim4 -bdf -d+filter| the error is referring to a tainted filename
> (some linebreaks added for readability):
>
> |102536 LOG: MAIN PANIC 102536 Tainted filename for search
> '/var/spool/exim4/db/disposable-aliases.db' 102536 Filter error:
> failed to expand "${lookup
> sqlite{/var/spool/exim4/db/disposable-aliases.db \ select
> default_remaining from stem_configs \ where stem =
> '${quote_sqlite:$local_part}'} {$value}{0}}" in add command: NULL
> 102536 Filter: end of processing |
>
> In this case, the reference to a filename /seems/ to be spurious, as
> firstly the filename is hard-wired (so can't be tainted?) and
> secondly, if I replace the |'${quote_sqlite:$local_part}'| portion of
> the query with a literal value, the error stops (at least from this
> particular lookup).
>
> My suspicion therefore is that it's actually the presence of
> |$local_part| in the query which is the problem, and not the filename.
>
> I have discovered there's an untainted version of |$local_part|
> available in some circumstances, |$local_part_data| - however in my
> circumstance, it isn't being set and so isn't useful.
>
> More searching finds this assertion in the Exim4 documentation here
> <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html>:
>
> If tainted data is used in the query then it should be quuted
> [sic] by using the ${quote_:} expansion operator appropriate for
> the lookup.
>
> This seems to imply that the |${sqlite_quote: .. }| expansion should
> be de-tainting the content of |$local_data|. That would seem sensible,
> but is this actually correct, given that if I replace the expansion
> with a literal the tainting problem stops?
>
> If |${sqlite_quote: .. }| really is de-tainting its result, then what
> is causing this look-up to be rejected?
>
> If it is not, then what other recourse do I have? The sqlite look-up
> above is actually /designed/ to validate the local part against a list
> of valid values stored in the database, and should be able to de-taint
> the value!
>
> I should add: I can't use a file lookup, because this valid list needs
> to be configured dynamicially, outside of exim4 configuration files.
>
Is anyone here able to help with this question?
Thanks!
Nick