Re: [exim] Does exim4's `${sqlite_quote ... }` expansion de-…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jeremy Harris
Datum:  
To: exim-users
Betreff: Re: [exim] Does exim4's `${sqlite_quote ... }` expansion de-taint the expanded value?
On 23/08/2022 17:18, Nick via Exim-users wrote:
> On 22/8/2022 Jeremy replied:
>
>>     Which means I can't use a simple list lookup, nor a wildcard lookup, as these don't support capture
>>
>> In the current release of Exim, they do and you could.


>> Note: It is not possible to capture substrings in a regular expression match for later use, because the results of all lookups are cached. If a lookup is repeated, the result is taken from the cache, and no actual pattern matching takes place. The values of all the numeric variables are unset after a (n)wildlsearch match.
> (Ch. 9 "File and database lookups", section 3, under "wildlsearch or nwildlsearch" - the only mention of the word "capture" in this chapter.)
>
> It's possible I missed something?


I was talking about lookups in lists, so Ch. 10.
It's a bit buried, but:

Sec 9 (Domain lists)

"If a pattern starts with a circumflex...
$1 (onwards) to any submatches identified by parentheses".

Sec 22 (Local part lists)

"These behave in the same way as domain and host lists".




     [
       For (n)wildlsearch lookups, you can add a no_rd option so
       that they do not cache.  I've no idea if substrings from
       (n)wildlsearcha regex lookup are captured though.
     ]




However, your basic point that you can't use wildcard matches
as a way of avoiding the security provided by taint-tracking,
is correct.

Yes, more abstruse ways exist. Welcome to log4j hell.
--
Cheers,
Jeremy