The virtual_localdelivery directory part does not use local_parts_data, just local_parts. And that does not work, also changing it to local_parts_data does not work either unfortunately...
Met vriendelijke groet, Melvin 0412 725 745 [email protected] | www.melv.nl Op alle rechtsverhoudingen tussen Melv en haar opdrachtgevers zijn onze Algemene voorwaarden en verwerkersovereenkomst <https://www.melv.nl/algemenevoorwaarden.pdf> van toepassing. Op do 27 aug. 2020 om 18:31 schreef Andrew C Aitchison < [email protected]>: > > Transferred from exim-dev to exim-users > > > https://bugs.exim.org/show_bug.cgi?id=2636 > > > > --- Comment #8 from Tony Feestneus <[email protected]> --- > > Will try there then, although I fear everyone will point at each other > in this > > issue. Hope you can think about a solution or quick fix maybe? > > If I understand correctly we are talking about this transport: > > #COMMENT#57: > virtual_localdelivery: > driver = appendfile > create_directory > delivery_date_add > directory_mode = 770 > envelope_to_add > directory = > "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}}lsearch{/etc/passwd}{$value}}}}/imap/${domain_data}/${local_part_data}/Maildir" > maildir_format > group = mail > mode = 660 > return_path_add > user = > "${lookup{$domain_data}lsearch*{/etc/virtual/domainowners}{$value}}" > quota = ${if > exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain_data}/quota}{$value}{0}}}{0}} > .include_if_exists /etc/exim/virtual_localdelivery.conf.post > > ------------------------- > > I'm not an expert on this stuff, but ... > the directory line has ${local_part_data} so that variable should > be available in the quota line. > I *guess* that changing that line to > quota = ${if > exists{/etc/virtual/${domain}/quota}{${lookup{$local_part_data}lsearch*{/etc/virtual/${domain_data}/quota}{$value}{0}}}{0}} > ( sed -e /quota/s/local_part/local_part_data/ ) > should solve this particular taint. > > In the exim doc, Chapter 9.Expansion variables read about $local_part and > $local_part_data > > https://exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#SECTexpansionitems > > Warning: the content of this variable is usually provided by a > potential attacker. Consider carefully the implications of using it > unvalidated as a name for file access. This presents issues for > usersâ?? .forward and filter files. > ... ... > For virtual users, store a suitable pathname component in the database > which is used for account name validation, and use that retrieved > value rather than this variable. Often $local_part_data is usable in > this role. If needed, use a router address_data or set option for the > retrieved data. > > > > -- > Andrew C. Aitchison Kendal, UK > [email protected] -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
