[exim] Re: Untainting help

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Jeremy Harris
Data:  
Para: exim-users
Asunto: [exim] Re: Untainting help
On 25/07/2023 00:45, Steve Wilson via Exim-users wrote:
> local_dovecot_lda:
>   driver                = pipe


Use LMTP rather than a commandline. It'll be more efficient too.

If you don't want to go that far...
- you seem to have "quote_mysql" sprayed around in multiple
inappropriate places
- you're already validating the recipient by doing a lookup, in
your router. But you're discarding the returned value (which
would be untainted) and only using the knowledge that it matched.
So the trick is to get both, and use the former for values in
your transport.

If you duplicate the lookup (but with $value for the return)
as an "address_data=" option on the router, that loads the $address_data
variable with the result. It gets done after all the preconditions
for the router (of which "condition" is one). Because it is a textually
identical lookup, a cached result from the first one is used - so
you're not doubling the load on your DB.
Then use $address_data, ${domain:$address_data) and ${local_part:$address_data}
in the transport.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/