[exim] Re: Inconsistent detection of tainted command in ${ru…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Jeremy Harris
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: [exim] Re: Inconsistent detection of tainted command in ${run} 4.96
On 01/09/2023 08:48, Andrew Hearn via Exim-users wrote:
> If it's by design is there any more documentation
> about how ${run} is expanded please?


The docs I'm looking at,
https://exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html

say, for ${run...} :-

"If the option preexpand is used
[...]
Neither the command nor any argument may be tainted."

So, in your PLAIN authenticator you had used attacker-supplied data
($1) in the command args; with the preexpand option which requests the
entire command+args expanded as one string. The taint from $1 taints
the expanded string. That string is only then split for the argv
(executable path and arguments), and every element resulting is tainted.

You could track this getting done by using the "expand" debug channel
(probably there already, but you didn't show it to us).

What docs were you looking at?


Regarding your LOGIN authentication not behaving the same way, this
smells like a bug: failing to track taint in the more-complex
sequence that the LOGIN method uses. I'll look into this; thanks
for pointing it up.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/