Hi all;
Firstly, just to note that I understand the purpose of tainting data, and
appreciate any improvements to security within Exim.
That said, I was already aware of the potential for bad variable data being
exposed to the server, and was removing non-alphanumeric characters from
$local_part (or, at least, attempting to) with the expansion
${sg{$local_part}{\N[^A-Za-z0-9_.-]\N}{_}}. However, this still appears to
fail in my transports.
Is ${sg} not a suitable expansion to de-taint $local_part or $domain? If not,
that massively screws with the long-term archival that I am required to do with
my Exim mail server (which I appreciate may not have the same use-case as a
normal mail server).
Regex replacement as de-taint operation is the typical approach in Perl (where
they also apply a tainting principle), so I would have reasonably expected it
to be the same here.
If not, I am desperately in need of an alternative for the following two
transports, where I need to be able to store *any* received mail (not handled
by earlier routers/transports) in a browsable directory structure, and so don't
have valid lookups that I can do:
-----------------
BADFILECHARS = \N[^A-Za-z0-9_.-]\N
local_unhandled:
driver = appendfile
create_directory = yes
directory = /var/spool/exim/unhandled/\
${sg{$domain}{BADFILECHARS}{_}}/\
${sg{$local_part}{BADFILECHARS}{_}}/\
$tod_logfile
user = exim
group = mail
mode = 0660
### end local_unhandled
local_delivery:
driver = appendfile
file = ${if or{{bool{$acl_m_localdiscard}}
\
{bool{${lookup{$local_part}
\
lsearch{/etc/passwd}
\
{no}
\
{yes}}}}}
\
{/dev/null}
\
{/var/spool/mail/${sg{$local_part}{BADFILECHARS}{_}}}}
user = ${if or{{bool{$acl_m_localdiscard}}
\
{eqi {$local_part}{root}}
\
{bool{${lookup{$local_part}
\
lsearch{/etc/passwd}
\
{no}
\
{yes}}}}}
\
{mail}
\
{$local_part}}
group = mail
mode = 0620
delivery_date_add
envelope_to_add
return_path_add
notify_comsat
### end local_delivery
-----------------
I've been avoiding check_local_user (since it tries to chdir into home
directories that the exim user has no access to), so I don't think I have
access to $local_part_data (as nothing populates it).
I would dearly love to avoid downgrading to 4.93, off the back of this change.
Regards.
J.
-----------------
~# exim -bV
Exim version 4.94 #2 built 01-Jun-2020 19:51:21
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL
Content_Scanning DANE DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR PROXY SOCKS SPF
DMARC TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sqlite
Authenticators: cram_md5 cyrus_sasl dovecot gsasl plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /etc/exim/exim.conf
~# yum list installed | grep exim
exim.x86_64 4.94-1.el7 @epel
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
