In message <[EMAIL PROTECTED]>, Mark Martinec writ
es:
>Christer,
>
>> I've been using amavisd-2.1.2, and am now trying to upgrade to 2.4.1.
>> As far as I can tell, all my perl modules are up to date, and perl is
>> version 5.8.4.
>> I'm having trouble with tainted sql queries, though.
>> Jun 21 12:15:26 anubis.medic.chalmers.se amavis[20430]: [ID 702911
>> local7.info] (hxaW.N) sql: preparing and executing:
>> SELECT bypass_virus_checks,bypass_spam_checks,bypass_virus_checks AS
>> virus_lover,bypass_virus_checks AS bypass_banned_checks,bypass_virus_checks
>> AS banned_files_lover,policy_name,spam_tag_level,spam_kill_level,
>> spam_kill_level AS spam_tag2_level,uname AS id FROM users
>> WHERE uname IN (?,?,?,?)
>> Jun 21 12:15:26 anubis.medic.chalmers.se amavis[20430]: [ID 702911
>> local7.warning] (hxaW.N) (!) lookup_sql: Insecure dependency in parameter 1
>> of DBI::db=HASH(0x155ac5c)->prepare method call while running with -T switch
>> at (eval 36) line 136, <GEN6> line 49., ,
>
>> @lookup_sql_dsn =
>> ( ['DBI:mysql:database=sicconfd2:host=127.0.0.1',
>> 'user', 'password']);
>> $sql_select_policy = 'SELECT ...
>
>Hmm, looks fine. Somehow the $sql_select_policy clause ends up tainted.
>Could you please see if the following change (workaround) makes a difference:
>
>--- amavisd~ Mon Jun 19 15:51:00 2006
>+++ amavisd Thu Jun 22 02:22:33 2006
>@@ -10091,9 +10091,11 @@
> my($keys_ref,$rhs_ref) = make_query_keys($addr,0,$is_local);
> my($n) = sprintf("%d",scalar(@$keys_ref)); # number of keys
>- my(@pos_args); my(@extras_tmp) = !ref $extra_args ? () : @$extra_args;
>+ my(@extras_tmp) = !ref $extra_args ? () : @$extra_args;
>+ local($1); my(@pos_args); my($sel_taint) = substr($sel,0,0); # taintedness
> $sel =~ s{ ( %k | \? ) } # substitute %k for keys and ? for each extra arg
>- { push(@pos_args, map { untaint($_) }
>- $1 eq '%k' ? @$keys_ref : shift @extras_tmp),
>+ { push(@pos_args, $1 eq '%k' ? @$keys_ref : shift @extras_tmp),
> $1 eq '%k' ? join(',', ('?') x $n) : '?' }gxe;
>+ $sel = untaint($sel) . $sel_taint; # keep original clause taintedness
>+ $_ = untaint($_) for @pos_args; # untaint arguments
> ll(4) && do_log(4,"lookup_sql \"%s\", query args: %s",
> $addr, join(', ', map{"\"$_\""} @pos_args) );
The workaround worked perfectly, thank you. :-)
//Christer
--
| Sys admin @ Chalmers WWW: http://www.medic.chalmers.se/ |
| Email: [EMAIL PROTECTED] Phone: (0)31 772 5431, (0)707 53 57 57 |
"I fought the loa and the loa won, I fought the loa and the loa won..."
-- Dave Aronsson, a.s.r.
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
