[exim] Re: De-Tainting in a filter-file?

Top Page
Delete this message
Reply to this message
Author: Niels Kobschätzki
Date:  
To: Jeremy Harris, Jeremy Harris via Exim-users
Subject: [exim] Re: De-Tainting in a filter-file?
> Jeremy Harris via Exim-users <exim-users@???> hat am 21.07.2023 09:16 CEST geschrieben:

First - thanks for your reply and help. I really appreciate it.

> On 21/07/2023 07:47, Niels Kobschätzki via Exim-users wrote:
> > In exim 4.96 I have now the problem that this seems to be considered tainted in filter-files (or in ldap-queries; I am not sure tbh).
> > I get this error in the log: tainted search query is not properly quoted (router virtual_userfilter
> > , /usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver%40domain.tld)(mailBlackList=test-blacklist@???))
>
> Note that the error is "it's not properly quoted". The intended hint
> is that if it (an argument to a lookup) is tainted, then it must be quoted.
>
> Not that it must be untainted (though obviously that would suffice too).
>
> So look again at you query args, and remember who is supplying them:
>
> > LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=${quote_ldap:$local_part@$domain})(mailBlackList=${lc:${address:$h_From:}}))
>
> Is that From: - derived string quoted, for ldap?


When I start to quote that it won't work. I tried '$h_From:' and wrapping ${address:$h_FROM:} and wrapping ${lc:${address:$h_From:}} but those resulted all in a deferral iirc because the search query was broken.

But maybe I understand quoting wrong in this context. Do you mean wrapping it in ' or do you mean using "quote_ldap"? I tried using quote_ldap but that suddenly adds encoded <> around the address and then the lookup won't find the result.

$h_From: results in test-blacklist@???
$quote_ldap:$h_From: results in #3ctest-blacklist@???#3e (I think it was that way - maybe the # were %)

The only moment I do not get tainted errors are when I do something like:

(mail='${quote_ldap:$local_part}'@'$domain')
but this yields: mail='test-receiver'@'domain.tld'

doing '(mail=${quote_ldap:$local_part}@$domain)'
yields '(mail=test-receiver@???)'

Both break the ldap-lookup though. The first one because 'test-receiver'@'domain.tld' does not exist in the LDAP (only test-receiver@??? does) and the second one I guess because it is in the middle of an LDAP-URL. The moment I introduce ' into the ldap-query as part of the LDAP-URL the look up breaks; either because the LDAP-URL becomes wrong or because the resulting lookup doesn't find anything.

> > And I get this in a debug session: (tainted, quoted:ldap)
>
> Since you didn't actually show us, we can only speculate...
> that was the quoted l@d string.


Here is the (slightly sanitized) output of a debug-session of my current experimental filter file.

19301 postfork: router-interpret
19301 changed uid/gid: virtual_userfilter router (recipient is test-receiver@???)
19301   uid=68 gid=9025 pid=19301
19301   auxiliary group list: 9025
19301 2679 bytes read from /users/do/domain.tld/te/test-receiver/pobox/.exim_filter
19301 data is an Exim filter program
19301 Filter: start of processing
19301   search_open: ldap "NULL"
19301   search_find: file="NULL"
19301     key="LDAPAUTH LDAPDN?enableBlackList?sub?(mail=test-receiver@???)" partial=-1 affix=NULL starflags=0 opts=NULL
19301   LRU list:
19301   internal_search_find: file="NULL"
19301     type=ldap key="LDAPAUTH LDAPDN?enableBlackList?sub?(mail=test-receiver@???)" opts=NULL
19301   database lookup required for LDAPAUTH LDAPDN?enableBlackList?sub?(mail=test-receiver@???)
19301                                (tainted, quoted:ldap)
19301   LDAP parameters: LDAPAUTH size=0 time=0 connect=0 dereference=0 referrals=on
19301   perform_ldap_search: ldap URL = "LDAPDN?enableBlackList?sub?(mail=test-receiver@???)" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
19301   after ldap_url_parse: host=ldap.server.fqdn port=389
19301   ldap_initialize with URL ldap://ldap.server.fqdn:389/
19301   initialized for LDAP (v3) server ldap.server.fqdn:389
19301   LDAP_OPT_X_TLS_TRY set due to ldap:// URI
19301   binding with AUTHDATA
19301   Start search
19301   LDAP result loop
19301   LDAP entry loop
19301   LDAP attr loop
19301   LDAP value loop enableBlackList:1
19301   search ended by ldap_result yielding 101
19301   ldap_parse_result: 0
19301   ldap_parse_result yielded 0: Success
19301   LDAP search: returning: 1
19301   creating new cache entry
19301   lookup yielded: 1
19301   search_open: ldap "NULL"
19301     cached open
19301   search_find: file="NULL"
19301     key="LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))" partial=-1 affix=NULL starflags=0 opts=NULL
19301   LRU list:
19301   internal_search_find: file="NULL"
19301     type=ldap key="LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))" opts=NULL
19301   database lookup required for LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))
19301                                (tainted)
19301 LOG: MAIN PANIC
19301   tainted search query is not properly quoted (router virtual_userfilter, /usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))
19301   search_type 7 (ldap) quoting -1 (none)
19301   LDAP parameters: LDAPAUTH size=0 time=0 connect=0 dereference=0 referrals=on
19301   perform_ldap_search: ldap URL = "LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
19301   after ldap_url_parse: host=ldap.server.fqdn port=389
19301   re-using cached connection to LDAP server ldap.server.fqdn:389
19301   Start search
19301   LDAP result loop
19301   LDAP entry loop
19301   LDAP attr loop
19301   LDAP value loop mailBlackList:test-blacklist@???
19301   search ended by ldap_result yielding 101
19301   ldap_parse_result: 0
19301   ldap_parse_result yielded 0: Success
19301   LDAP search: returning: mailBlackList="test-blacklist@???"
19301   creating new cache entry
19301   lookup yielded: mailBlackList="test-blacklist@???"
19301 Filter: end of processing
19301 search_tidyup called
19301 unbind LDAP connection to ldap.server.fqdn:389
19301 >>>>>>>>>>>>>>>> Exim pid=19301 (router-interpret) terminating with rc=0 >>>>>>>>>>>>>>>>


Best,

Niels


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/