[exim] Re: Yet another taint problem.

Pàgina inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
A: exim-users
Assumpte: [exim] Re: Yet another taint problem.
On 12/06/2024 11:33, Thew, Alan via Exim-users wrote:
> listserv_pipe:
>    driver = pipe
>    command = /XXXXX/bin/lsv_amin -t $local_part


[
> driver = accept
> condition = ${if match{$local_part}{-dmarc-}{yes}{no}}
> retry_use_local_part
> transport = listserv_pipe
> no_verify

]

Read up on taint in the docs. The common place for a detaining
operation is in a router, by extracting from trusted data (ie.
held locally on the system) using the tainted data as a search key.
Usually this is done in a way that (for a local-part) populates
a variable "$local_part_data".

The verification you are doing - a regex match - is technically insufficient
because Exim cannot reason deeply about REs. It's also not good enough on
a wider view, as is doesn't refuse content within the (possibly attacker-supplied)
local-part which is potentially damaging. Think in terms of shell metacharacters,
and Exim's own expansions syntax - and never forget the lessors of the log4j debacle.

--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/