[exim] Tainted search query is not properly quoted

Top Page
Delete this message
Reply to this message
Author: Martin D Kealey
Date:  
To: exim-users
Subject: [exim] Tainted search query is not properly quoted
On Sun, 19 Mar 2023, 23:00 , Odhiambo Washington <odhiambo@???>
wrote:

> set acl_m_dontcare = ${lookup sqlite {INSERT INTO greylist \
> VALUES ( '$acl_m_greyident', \
> '${eval10:$tod_epoch+300}', \
> '${quote_sqlite:$sender_host_address}', \
> '${quote_sqlite:$sender_helo_name}' );}}
>


It's not obvious to me what I haven't quoted properly.
>


In addition to the ineffective quoting of $acl_m_greyident (which Jeremy
mentioned), the second column should be a number or timestamp rather than a
varchar, so adding quotes around ${eval10:$tod_epoch+300} is backwards.

If you habitually add quotes to all columns to "make them safe", then
you're lulling yourself into a false sense of security; see
https://bobby-tables.com/ for why this is a bad habit.

Also, although most SQL engines will tolerate strings when expecting other
types of values, sometimes the automatic conversions don't do what one
might expect. In particular, sometimes numbers are treated as (a)
unix-epoch seconds, sometimes they're treated as (b) julian days or (c)
modified julian days, and sometimes they're converted to a string and then
read back as (d) YYYYMMDDHHMMSS. Some try option (d), and then if that
doesn't work, switch to one of the others.

-Martin

PS: personally I would be inclined to use the clock in the database and
write the expression as datetime('now', '+5 minutes') or
unixepoch('now','+5 minutes') (depending on whether you want to store a
number or a datetime in that column)

>