> Jeremy Harris via Exim-users <exim-users@???> hat am 21.07.2023 09:16 CEST geschrieben:
First - thanks for your reply and help. I really appreciate it.
> On 21/07/2023 07:47, Niels Kobschätzki via Exim-users wrote:
> > In exim 4.96 I have now the problem that this seems to be considered tainted in filter-files (or in ldap-queries; I am not sure tbh).
> > I get this error in the log: tainted search query is not properly quoted (router virtual_userfilter
> > , /usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver%40domain.tld)(mailBlackList=test-blacklist@???))
>
> Note that the error is "it's not properly quoted". The intended hint
> is that if it (an argument to a lookup) is tainted, then it must be quoted.
>
> Not that it must be untainted (though obviously that would suffice too).
>
> So look again at you query args, and remember who is supplying them:
>
> > LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=${quote_ldap:$local_part@$domain})(mailBlackList=${lc:${address:$h_From:}}))
>
> Is that From: - derived string quoted, for ldap?
When I start to quote that it won't work. I tried '$h_From:' and wrapping ${address:$h_FROM:} and wrapping ${lc:${address:$h_From:}} but those resulted all in a deferral iirc because the search query was broken.
But maybe I understand quoting wrong in this context. Do you mean wrapping it in ' or do you mean using "quote_ldap"? I tried using quote_ldap but that suddenly adds encoded <> around the address and then the lookup won't find the result.
$h_From: results in test-blacklist@???
$quote_ldap:$h_From: results in #3ctest-blacklist@???#3e (I think it was that way - maybe the # were %)
The only moment I do not get tainted errors are when I do something like:
(mail='${quote_ldap:$local_part}'@'$domain')
but this yields: mail='test-receiver'@'domain.tld'
doing '(mail=${quote_ldap:$local_part}@$domain)'
yields '(mail=test-receiver@???)'
Both break the ldap-lookup though. The first one because 'test-receiver'@'domain.tld' does not exist in the LDAP (only test-receiver@??? does) and the second one I guess because it is in the middle of an LDAP-URL. The moment I introduce ' into the ldap-query as part of the LDAP-URL the look up breaks; either because the LDAP-URL becomes wrong or because the resulting lookup doesn't find anything.
> > And I get this in a debug session: (tainted, quoted:ldap)
>
> Since you didn't actually show us, we can only speculate...
> that was the quoted l@d string.
Here is the (slightly sanitized) output of a debug-session of my current experimental filter file.
19301 postfork: router-interpret
19301 changed uid/gid: virtual_userfilter router (recipient is test-receiver@???)
19301 uid=68 gid=9025 pid=19301
19301 auxiliary group list: 9025
19301 2679 bytes read from /users/do/domain.tld/te/test-receiver/pobox/.exim_filter
19301 data is an Exim filter program
19301 Filter: start of processing
19301 search_open: ldap "NULL"
19301 search_find: file="NULL"
19301 key="LDAPAUTH LDAPDN?enableBlackList?sub?(mail=test-receiver@???)" partial=-1 affix=NULL starflags=0 opts=NULL
19301 LRU list:
19301 internal_search_find: file="NULL"
19301 type=ldap key="LDAPAUTH LDAPDN?enableBlackList?sub?(mail=test-receiver@???)" opts=NULL
19301 database lookup required for LDAPAUTH LDAPDN?enableBlackList?sub?(mail=test-receiver@???)
19301 (tainted, quoted:ldap)
19301 LDAP parameters: LDAPAUTH size=0 time=0 connect=0 dereference=0 referrals=on
19301 perform_ldap_search: ldap URL = "LDAPDN?enableBlackList?sub?(mail=test-receiver@???)" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
19301 after ldap_url_parse: host=ldap.server.fqdn port=389
19301 ldap_initialize with URL ldap://ldap.server.fqdn:389/
19301 initialized for LDAP (v3) server ldap.server.fqdn:389
19301 LDAP_OPT_X_TLS_TRY set due to ldap:// URI
19301 binding with AUTHDATA
19301 Start search
19301 LDAP result loop
19301 LDAP entry loop
19301 LDAP attr loop
19301 LDAP value loop enableBlackList:1
19301 search ended by ldap_result yielding 101
19301 ldap_parse_result: 0
19301 ldap_parse_result yielded 0: Success
19301 LDAP search: returning: 1
19301 creating new cache entry
19301 lookup yielded: 1
19301 search_open: ldap "NULL"
19301 cached open
19301 search_find: file="NULL"
19301 key="LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))" partial=-1 affix=NULL starflags=0 opts=NULL
19301 LRU list:
19301 internal_search_find: file="NULL"
19301 type=ldap key="LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))" opts=NULL
19301 database lookup required for LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))
19301 (tainted)
19301 LOG: MAIN PANIC
19301 tainted search query is not properly quoted (router virtual_userfilter, /usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))
19301 search_type 7 (ldap) quoting -1 (none)
19301 LDAP parameters: LDAPAUTH size=0 time=0 connect=0 dereference=0 referrals=on
19301 perform_ldap_search: ldap URL = "LDAPDN?mailBlackList?sub?(&(mail=test-receiver@???)(mailBlackList=test-blacklist@???))" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
19301 after ldap_url_parse: host=ldap.server.fqdn port=389
19301 re-using cached connection to LDAP server ldap.server.fqdn:389
19301 Start search
19301 LDAP result loop
19301 LDAP entry loop
19301 LDAP attr loop
19301 LDAP value loop mailBlackList:test-blacklist@???
19301 search ended by ldap_result yielding 101
19301 ldap_parse_result: 0
19301 ldap_parse_result yielded 0: Success
19301 LDAP search: returning: mailBlackList="test-blacklist@???"
19301 creating new cache entry
19301 lookup yielded: mailBlackList="test-blacklist@???"
19301 Filter: end of processing
19301 search_tidyup called
19301 unbind LDAP connection to ldap.server.fqdn:389
19301 >>>>>>>>>>>>>>>> Exim pid=19301 (router-interpret) terminating with rc=0 >>>>>>>>>>>>>>>>
Best,
Niels
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
