Re: [exim] Does exim4's `${sqlite_quote ... }` expansion de-…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Nick
Datum:  
To: Jeremy Harris, Nick via Exim-users
Betreff: Re: [exim] Does exim4's `${sqlite_quote ... }` expansion de-taint the expanded value?
[I'm obliged to reply to the wrong email, apologies: I disabled delivery
option on the list long ago and failed to re-enable it last try.
Succeeded now I think.]

On 22/8/2022 Jeremy replied:

>     Which means I can't use a simple list lookup, nor a wildcard lookup, as these don't support capture

>
> In the current release of Exim, they do and you could.
>
>     Is it the maintainers' opinion that when tainted text which *can
>     only* be validated as safe by a wildcard or a regular expression
>     (to use in, for example, a file path), it should nevertheless
>     still not be possible to use that to detaint the validated text,
>     in case someone else abuses this mechanism to create an insecure
>     Exim configuration? 

>
> Yes.
>

Those answers taken together imply that wildcard lookups allow captures,
in the latest version of Exim, but these are not de-tainted.  If so, my
point stands: I can't create a detainting lookup for the aliases I want to.


Also, the the latest documentation (for 4.96) seems to say I can't use
captures usefully in any case:

> Note: It is not possible to capture substrings in a regular expression
> match for later use, because the results of all lookups are cached. If
> a lookup is repeated, the result is taken from the cache, and no
> actual pattern matching takes place. The values of all the numeric
> variables are unset after a (n)wildlsearch match.

(Ch. 9 "File and database lookups", section 3, under "wildlsearch or
nwildlsearch" - the only mention of the word "capture" in this chapter.)

It's possible I missed something?


> [Regarding supporting detainting via regex capture]
> No. It would instantly be abused with an "accept everything" wildcard.


Ok, but the cat is out of the bag: an "accept anything" detainting hack
is already possible for those who want to use it (see the link in my
earlier email), therefore anyone who unavoidably needs to detaint an
unbounded set of text patterns will have no alternative but use this
hack and live with the obfuscation.

But that's ok, I know where I stand, and can live without per-alias logs
and that hack. I believe I'm abusing Exim for this job anyway, the
filter language isn't cut out for this and only barely supports the
logic required, so I need to a more suitable solution when I have time.


Thanks,

Nick