On 2021-06-12, Jeremy Harris via Exim-dev <exim-dev@exim.org> wrote:
> On 12/06/2021 20:56, Andrew C Aitchison via Exim-dev wrote:
>> On Sat, 12 Jun 2021, Jasen Betts via Exim-dev wrote:
>>> I'm wanting to be able to use expansion variables in the servers=
>>> parameter of query-style lookups.
>
> This immediately sounds dangerous.
It can't use tainted values, so the value will be untainted data like the
result of some
lookup or arithmetic.
> [suggested code change]
>
>>> This seems to work for simple variables which is enough for me. Full
>>> brace expansion does not work (I think the parser gets confused).
>>>
>>> As I understand it this is not going to cause a memory leak.
>>>
>>> a few lines down from this serverlist is checked to be taint-free so
>>> this feels safe to me.
>>
>> Isn't the idea to check a string is taint-free *before* expanding it ?
>
> Precisely. Consider what an attacker might present you with to get
> expanded, and the extensive facilities that Exim expansion offers.
Isn't the value computed and then checked for taint before the
dangerous thing is done. In this case the dangerous thing using the
servers setting to connect to and to query a variable server.
The check is on line 161
if (is_tainted(server))
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
