On 18/06/2020 13:20, Felix Schwarz via Exim-users wrote:
> sqlite_dbfile = /path/to/user.db
>
> domainlist local_domains = sqlite;select DISTINCT domain from users where
> domain='${quote_sqlite:$domain}' and is_enabled=1;
Two problems.
- the <lookup-type> <semicolon> <file> syntax only applies for
single-key lookup types. sqlite is a query-style.
- that probably leads into the tainting problem, so I'll ignore that
> I assumed that "quote_sqlite" would untain the $domain value but it does not?
No, quoting is for protection against metacharacter intpretation
by sqlite, and has nothing to do with taint. An attacker could
use a domain name with some legal SQL embedded...
Use the ${lookup sqlite ...} syntax.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
