> Niels Kobschätzki via Exim-users <[email protected]> hat am
> 21.07.2023 08:47 CEST geschrieben:
>
>
> Hi,
>
> I have a router for using local filter-files that looks like this:
>
> virtual_userfilter:
> driver = redirect
> domains = lsearch,ret=key;VIRTUAL_DOMAINS_FILE
> no_check_local_user
> no_verify
> no_expn
> router_home_directory = LDAP_MAILBOX
> transport_home_directory = LDAP_MAILBOX
> require_files = exim:${home}/.exim_filter
> file = ${home}/.exim_filter
> check_ancestor
> allow_filter
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
> directory_transport = address_directory
> modemask = 002
> user = pop
> group = exim
>
> And I have in my filter-files this filter which checks if the user has a
> blacklist enabled and if the sender-address is in the blacklist:
>
> if "${lookup ldap {LDAPAUTH
> LDAPDN?enableBlackList?sub?(mail=${quote_ldap:$local_part@$domain})}{$value}{0}}"
> is "1" and "${lookup ldap {LDAPAUTH
> LDAPDN?mailBlackList?sub?(&(mail=${quote_ldap:$local_part@$domain})(mailBlackList=${lc:${address:$h_From:}}))}{Yes}{No}}"
> is "Yes"
>
> In exim 4.96 I have now the problem that this seems to be considered tainted
> in filter-files (or in ldap-queries; I am not sure tbh).
> I get this error in the log: tainted search query is not properly quoted
> (router virtual_userfilter
> , /usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH
> LDAPDN?mailBlackList?sub?(&(mail=test-receiver%40domain.tld)([email protected]))
>
> And I get this in a debug session: (tainted, quoted:ldap)
> Since I have no_check_local_user set I cannot use local_part_data (it is
> empty and according to the documentation it would only be not empty if
> check_local_user is set which I don't want here). And domain_data brings up
> weird results.
>
> But one step at a time. How do I de-taint in this context?
Ok, I guess de-tainting is not the problem but I have to quote somehow
mail=${quote_ldap:$local_part@$domain} ? When I do
mail='${quote_ldap:$local_part@$domain}' the error vanishes but also a result
doesn't work anymore.
In the debug-session I see: (mail='test-receiver%40snafu.de')
I think because @ is replaced by %40 and then the ldap-search won't find it
anymore because it is quoted.
Best,
Niels
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
