On Fri, 6 May 2022, Michael Haardt via Exim-users wrote:
Odhiambo Washington via Exim-users <[email protected]> wrote:
I must admit I have zero clue how to detaint this:
LOG: MAIN
** [email protected] <mailman-bounces+moses=
[email protected]> R=mailman_router T=mailman_transport:
Tainted arg 1 for mailman_transport transport command: 'bounces'
mailman_router:
driver = accept
Guessing, insert this here:
local_parts = ${lookup {$local_part} dsearch {MAILMAN_HOME/lists}}
That should set $local_part_data and then you use that where you used
$local_part before in require_files and in the transport.
I don't understand why require_files did not trigger the check, though,
but using the tainted variable $local_part there will be a problem.
As I understand, "require_files" detaints,
since a secure file-system is a database of trust.
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
