> > What's the suggested way to do that for virtual domains, that is many
> > mailboxes that all belong to the same local user, and which are not
> > obtained through a lookup, but through the filesystem itself?
> 
> The result of a lookup is untainted, and will likely remain so
> (even if the key for the lookup is tainted, eg. $local_part).
> So whatever you're doing now should still work, so long as you
> don't name the DB for the lookup using tainted data.

 Is there a way of un-tainting things from $local_part? We have a
long-standing little feature where we implement per-address settings
for things like blocklists using databases read from directories named
after the local addresses, more or less:

        UBDIR = CFDIR/${lc:$local_part}

        deny
                domains = +local_domains
                senders = ${if exists {UBDIR/senders} {UBDIR/senders}}
                message = mail from ...

We have not yet updated to a version of Exim that uses tainting and so
I don't know if this usage will be immediately affected, but it seems
that this is now being considered questionable in at least this form.

(We already check and sanitize $local_part, so this is safe in our
usage. People do not get to create valid local addresses with eg '/../'
in them, and if they did manage it somehow, explicit address content
checks would reject them earlier. Also, these per-user files must be
updated by root, so we consider their contents safe.)

        - cks

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to