Hi Jeremy
And thanks.
On 16/11/2022 22:16, Jeremy Harris via Exim-users wrote:
> On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
>> Moving an old system to exim 4.94.2 I'm hitting a taint error with
>> $dnslist_domain. That's a bit surprising as it's 100% internally
>> defined -- there's nothing the outside world can do to change its
>> possible values.
>
> I'm not immediately seeing it either.
>
> If you set up a test using -d+expand and -bh
> is the value for $acl_m_dnslist1 tainted at the point it gets expanded
> for the dnslists= ACL condition?
Very handy and, yes, at first mention of the filter (showing the full
list)...
> considering: ${filter{
> b.barracudacentral.org
> : hostkarma.junkemailfilter.com=127.0.0.2
> : truncate.gbudb.net
> : bl.spamcop.net
> : dnsbl.sorbs.net
> : all.s5h.net
> : all.bl.blocklist.de
> : all.spamrats.com
> : dyna.spamrats.com
> : noptr.spamrats.com
> : spam.spamrats.com
> : bl.mailspike.net
> : dnsbl.dronebl.org
> : sbl.spamdown.org
> : bl.nordspam.com==127.0.0.2
> : dnsbl.justspam.org
> : dnsrbl.org
> : bl.mxrbl.com
> : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
> : hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain
> : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/$sender_address_domain
> : rhsbl.sorbs.net/$sender_address_domain
> : dbl.nordspam.com==127.0.0.2/$sender_address_domain
> } {exists{/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} }
> [...]
> ╰─────result:
> b.barracudacentral.org
> : hostkarma.junkemailfilter.com=127.0.0.2
> : truncate.gbudb.net
> : bl.spamcop.net
> : dnsbl.sorbs.net
> : all.s5h.net
> : all.bl.blocklist.de
> : all.spamrats.com
> : dyna.spamrats.com
> : noptr.spamrats.com
> : spam.spamrats.com
> : bl.mailspike.net
> : dnsbl.dronebl.org
> : sbl.spamdown.org
> : bl.nordspam.com==127.0.0.2
> : dnsbl.justspam.org
> : dnsrbl.org
> : bl.mxrbl.com
> : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/example.com
> : hostkarma.junkemailfilter.com=127.0.0.2/example.com
> : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/example.com
> : rhsbl.sorbs.net/example.com
> : dbl.nordspam.com==127.0.0.2/example.com
> ╰──(tainted)
... and every item in the list (used or not) is considered tainted;
> filter: $item = 'b.barracudacentral.org' $value = 'NULL'
> ╭considering: /srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} }
> ╭considering: 1}{=!&/}{$item}{$value}{$item}}}} }
> ├──expanding: 1
> ╰─────result: 1
> ╭considering: =!&/}{$item}{$value}{$item}}}} }
> ├──expanding: =!&/
> ╰─────result: =!&/
> ╭considering: $item}{$value}{$item}}}} }
> ├──expanding: $item
> ╰─────result: b.barracudacentral.org
> ╰──(tainted)
Removing the rhsbl services (i.e, $sender_address_domain) and all is well.
Looks like I guessed wrong. I'm wondering why this taint error isn't
widespread -- could it be $filter/exists specific? I wont guess this
time ;)
Cheers,
Martin
