[exim] Tainted String issue after 4.97 upgrade...

Página Inicial
Delete this message
Reply to this message
Autor: Kris Oye
Data:  
Para: exim-users@lists.exim.org
Assunto: [exim] Tainted String issue after 4.97 upgrade...
The configuration for our outbound server that used to work under 4.96.2 now has a broken router and I am trying to figure out how to fix it. Any help would be appreciated!

The broken router:

system_aliases:
driver = redirect
allow_fail
allow_defer
data = $local_part@$domain, ${lookup mysql{MYSQL_ALIASES}}
file_transport = address_file
pipe_transport = address_pipe

where MYSQL_ALIASES was initially defined as:

MYSQL_ALIASES = select XXX_GetForwardingAddress('$local_part')

I partially addressed the issues by quoting the local_part in my function call:

MYSQL_ALIASES = select XXX_GetForwardingAddress('${quote_mysql:$local_part }')

Also tried:

MYSQL_ALIASES = select XXX_GetForwardingAddress('${quote_mysql:$local_part_data }')


But this did not fully fix the issue (tainted local_part still taints the SQL function result?):

2023-11-15 07:18:57 1r3HVG-000000010zZ-K8b5 ** krisosa1234567@???<mailto:krisosa1234567@intelliwebservices.com> R=dbmailuser T=transport_dbmail: Tainted arg 2 for transport_dbmail transport command: 'krisosa1234567'


How do I de-taint / trust the result from my own database here?

-Kris O

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/