Christer,
> I've been using amavisd-2.1.2, and am now trying to upgrade to 2.4.1.
> As far as I can tell, all my perl modules are up to date, and perl is
> version 5.8.4.
> I'm having trouble with tainted sql queries, though.
> Jun 21 12:15:26 anubis.medic.chalmers.se amavis[20430]: [ID 702911
> local7.info] (hxaW.N) sql: preparing and executing:
> SELECT bypass_virus_checks,bypass_spam_checks,bypass_virus_checks AS
> virus_lover,bypass_virus_checks AS bypass_banned_checks,bypass_virus_checks
> AS banned_files_lover,policy_name,spam_tag_level,spam_kill_level,
> spam_kill_level AS spam_tag2_level,uname AS id FROM users
> WHERE uname IN (?,?,?,?)
> Jun 21 12:15:26 anubis.medic.chalmers.se amavis[20430]: [ID 702911
> local7.warning] (hxaW.N) (!) lookup_sql: Insecure dependency in parameter 1
> of DBI::db=HASH(0x155ac5c)->prepare method call while running with -T switch
> at (eval 36) line 136, <GEN6> line 49., ,
> @lookup_sql_dsn =
> ( ['DBI:mysql:database=sicconfd2:host=127.0.0.1',
> 'user', 'password']);
> $sql_select_policy = 'SELECT ...
Hmm, looks fine. Somehow the $sql_select_policy clause ends up tainted.
Could you please see if the following change (workaround) makes a difference:
--- amavisd~ Mon Jun 19 15:51:00 2006
+++ amavisd Thu Jun 22 02:22:33 2006
@@ -10091,9 +10091,11 @@
my($keys_ref,$rhs_ref) = make_query_keys($addr,0,$is_local);
my($n) = sprintf("%d",scalar(@$keys_ref)); # number of keys
- my(@pos_args); my(@extras_tmp) = !ref $extra_args ? () : @$extra_args;
+ my(@extras_tmp) = !ref $extra_args ? () : @$extra_args;
+ local($1); my(@pos_args); my($sel_taint) = substr($sel,0,0); # taintedness
$sel =~ s{ ( %k | \? ) } # substitute %k for keys and ? for each extra arg
- { push(@pos_args, map { untaint($_) }
- $1 eq '%k' ? @$keys_ref : shift @extras_tmp),
+ { push(@pos_args, $1 eq '%k' ? @$keys_ref : shift @extras_tmp),
$1 eq '%k' ? join(',', ('?') x $n) : '?' }gxe;
+ $sel = untaint($sel) . $sel_taint; # keep original clause taintedness
+ $_ = untaint($_) for @pos_args; # untaint arguments
ll(4) && do_log(4,"lookup_sql \"%s\", query args: %s",
$addr, join(', ', map{"\"$_\""} @pos_args) );
Mark
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
