Re: [exim] $dnslist_domain tainted

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Martin Clayton
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] $dnslist_domain tainted
Hi Jeremy

And thanks.

On 16/11/2022 22:16, Jeremy Harris via Exim-users wrote:
> On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
>> Moving an old system to exim 4.94.2 I'm hitting a taint error with
>> $dnslist_domain. That's a bit surprising as it's 100% internally
>> defined -- there's nothing the outside world can do to change its
>> possible values.
>
> I'm not immediately seeing it either.
>
> If you set up a test using -d+expand and -bh
> is the value for $acl_m_dnslist1 tainted at the point it gets expanded
> for the dnslists= ACL condition?


Very handy and, yes, at first mention of the filter (showing the full
list)...

>  considering: ${filter{ 
>    b.barracudacentral.org
>  : hostkarma.junkemailfilter.com=127.0.0.2 
>  : truncate.gbudb.net                      
>  : bl.spamcop.net                          
>  : dnsbl.sorbs.net                         
>  : all.s5h.net                             
>  : all.bl.blocklist.de                     
>  : all.spamrats.com                        
>  : dyna.spamrats.com                       
>  : noptr.spamrats.com                      
>  : spam.spamrats.com                       
>  : bl.mailspike.net                        
>  : dnsbl.dronebl.org                       
>  : sbl.spamdown.org                        
>  : bl.nordspam.com==127.0.0.2              
>  : dnsbl.justspam.org                      
>  : dnsrbl.org                              
>  : bl.mxrbl.com                            
>  : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain 
>  : hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain       
>  : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/$sender_address_domain 
>  : rhsbl.sorbs.net/$sender_address_domain                               
>  : dbl.nordspam.com==127.0.0.2/$sender_address_domain                     
>  } {exists{/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} }
>  [...]
>   ╰─────result:  
>     b.barracudacentral.org                  
>   : hostkarma.junkemailfilter.com=127.0.0.2 
>   : truncate.gbudb.net                      
>   : bl.spamcop.net                          
>   : dnsbl.sorbs.net                         
>   : all.s5h.net                             
>   : all.bl.blocklist.de                     
>   : all.spamrats.com                        
>   : dyna.spamrats.com                       
>   : noptr.spamrats.com                      
>   : spam.spamrats.com                       
>   : bl.mailspike.net                        
>   : dnsbl.dronebl.org                       
>   : sbl.spamdown.org                        
>   : bl.nordspam.com==127.0.0.2              
>   : dnsbl.justspam.org                      
>   : dnsrbl.org                              
>   : bl.mxrbl.com                            
>   : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/example.com 
>   : hostkarma.junkemailfilter.com=127.0.0.2/example.com       
>   : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/example.com 
>   : rhsbl.sorbs.net/example.com                               
>   : dbl.nordspam.com==127.0.0.2/example.com
>              ╰──(tainted)


... and every item in the list (used or not) is considered tainted;

> filter: $item = 'b.barracudacentral.org'  $value = 'NULL'
>   ╭considering: /srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} }
>    ╭considering: 1}{=!&/}{$item}{$value}{$item}}}} }
>    ├──expanding: 1
>    ╰─────result: 1
>    ╭considering: =!&/}{$item}{$value}{$item}}}} }
>    ├──expanding: =!&/
>    ╰─────result: =!&/
>    ╭considering: $item}{$value}{$item}}}} }
>    ├──expanding: $item
>    ╰─────result: b.barracudacentral.org
>               ╰──(tainted)


Removing the rhsbl services (i.e, $sender_address_domain) and all is well.

Looks like I guessed wrong. I'm wondering why this taint error isn't
widespread -- could it be $filter/exists specific? I wont guess this
time ;)

Cheers,
Martin