[exim] Re: De-Tainting in a filter-file?

Pàgina inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
A: exim-users
Assumpte: [exim] Re: De-Tainting in a filter-file?
On 21/07/2023 07:47, Niels Kobschätzki via Exim-users wrote:
> In exim 4.96 I have now the problem that this seems to be considered tainted in filter-files (or in ldap-queries; I am not sure tbh).
> I get this error in the log: tainted search query is not properly quoted (router virtual_userfilter
> , /usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver%40domain.tld)(mailBlackList=test-blacklist@???))


Note that the error is "it's not properly quoted". The intended hint
is that if it (an argument to a lookup) is tainted, then it must be quoted.

Not that it must be untainted (though obviously that would suffice too).

So look again at you query args, and remember who is supplying them:

> LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=${quote_ldap:$local_part@$domain})(mailBlackList=${lc:${address:$h_From:}}))


Is that From: - derived string quoted, for ldap?



> And I get this in a debug session: (tainted, quoted:ldap)


Since you didn't actually show us, we can only speculate...
that was the quoted l@d string.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/