Re: [exim] Tainted filename for search

[Jeremy Harris via Exim-users]

On 06/06/2020 19:29, Jeremy Harris via Exim-users wrote:
> On 05/06/2020 20:02, Laura Williamson via Exim-users wrote:
>>   dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select
>> selector from dkimcerts where domain='$sender_address_domain'}{$value}}
> 
> As I told Max, one of:
> 
> - use the sqlite_dbfile main option
> - use separate tables within one sqlite db rather than multiple db files
> - ensure your sqlite lookup strings do not contain tainted data
>   (look in the Concept Index for de-tainting methods)
> - move to a different db type
> - wait for the next release
> 

To which I'll now add:

- If you are building from git, or from source that you can patch,
  pick up 
https://git.exim.org/exim.git/commit/b8514d1960e259d49ab2c84c89eba52ab993da3f

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Tainted filename for search

[Jeremy Harris via Exim-users]

On 05/06/2020 20:02, Laura Williamson via Exim-users wrote:
>   dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select
> selector from dkimcerts where domain='$sender_address_domain'}{$value}}

As I told Max, one of:

- use the sqlite_dbfile main option
- use separate tables within one sqlite db rather than multiple db files
- ensure your sqlite lookup strings do not contain tainted data
  (look in the Concept Index for de-tainting methods)
- move to a different db type
- wait for the next release
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Tainted filename for search

[Laura Williamson via Exim-users]

Hi folks

I have an issue that only appears when using 4.94. I use this to lookup 
dkim information for signing outgoing emails


  dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select 
selector from dkimcerts where domain='$sender_address_domain'}{$value}}
  dkim_private_key = ${lookup sqlite {/usr/exim/dkimcertificates select 
cert from dkimcerts where domain='$sender_address_domain'}{$value}}



I get this message in my log

Tainted filename for search: '/usr/exim/dkimcertificates'

Does anybody have any idea how to fix this? Works in 4.93.

Rgds


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SQLite Tainted filename for search error

[Laura Williamson via Exim-users]

I've got same issue and the recommended change doesn't solve my issues 
unfortunately. Rollback to 4.93 solves the problem.




Den 06/06/2020 kl. 00:39 skrev Jeremy Harris via Exim-users:

On 06/06/2020 00:24, Max Kostikov via Exim-users wrote:

2020-06-06 01:02:28 Tainted filename for search:
'/var/db/exim/users.sqlite3'
2020-06-06 01:02:28 failed to expand "${lookup
sqlite{/var/db/exim/users.sqlite3 SELECT domain FROM domain WHERE

http://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsqlite

"The preferred way of specifying the file is by using the sqlite_dbfile
option"



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SQLite Tainted filename for search error

[Max Kostikov via Exim-users]

Jeremy Harris via Exim-users писал 2020-06-06 13:54:

On 06/06/2020 10:57, Max Kostikov via Exim-users wrote:

And what if more than one SQLite database used with Exim?


One of:
...
- wait for the next release


It suits me best.
Please do not forget about it.

--
With best regards,
Max Kostikov

W: https://kostikov.co | DeltaChat: m...@eprove.net

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SQLite Tainted filename for search error

[Jeremy Harris via Exim-users]

On 06/06/2020 10:57, Max Kostikov via Exim-users wrote:
> And what if more than one SQLite database used with Exim?

One of:

- Use separate tables within one sqlite db rather than multiple db files
- ensure your sqlite lookup strings do not contain tainted data
  (look in the Concept Index for de-tainting methods)
- move to a different db type
- wait for the next release
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Tainted filename on DKIM signing in 4.94

[Max Kostikov via Exim-users]

Ok, I found a solution (thanks, Jeremy!) in the previous thread.
So now this configuration works fine

begin transports

  SENDER_DOMAIN = ${if 
def:h_from:{${lc:${domain:${address:$h_from:{$qualify_domain}}

  KEYNAME   = key${eval10:${substr{4}{2}{$tod_logfile}}%2}
  DKIM_PATH = /usr/local/etc/exim/dkim
  DKIM_FILE = SENDER_DOMAIN.KEYNAME
  DKIM_DEFAULT  = $qualify_domain.KEYNAME

remote_smtp:
  driver= smtp
  dkim_domain   = SENDER_DOMAIN
  dkim_selector = KEYNAME
  dkim_private_key  = ${lookup {DKIM_FILE} dsearch,ret=full 
{DKIM_PATH}}
  arc_sign  = $primary_hostname : KEYNAME : 
DKIM_PATH/DKIM_DEFAULT : timestamps

  ...

Max Kostikov via Exim-users писал 2020-06-06 12:25:

I found one more issue found after upgrade to latest Exim 4.94.
Now this is related to outgoing messages DKIM signing.

Jun  6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 Tainted filename
'/usr/local/etc/exim/dkim/kostikov.co.key0'
Jun  6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 unable to open file
for reading: /usr/local/etc/exim/dkim/kostikov.co.key0

In Exim configuration it defined using global variabled at the start
of transports section

begin transports

  SENDER_DOMAIN = ${if
def:h_from:{${lc:${domain:${address:$h_from:{$qualify_domain}}
  KEYNAME   = key${eval10:${substr{4}{2}{$tod_logfile}}%2}
  DKIM_FILE = 
/usr/local/etc/exim/dkim/SENDER_DOMAIN.KEYNAME
  DKIM_DEFAULT  = 
/usr/local/etc/exim/dkim/$qualify_domain.KEYNAME


remote_smtp:
  driver= smtp
  dkim_domain   = SENDER_DOMAIN
  dkim_selector = KEYNAME
  dkim_private_key  = ${if exists{DKIM_FILE}{DKIM_FILE}{}}
  arc_sign  = $primary_hostname : KEYNAME : DKIM_DEFAULT :
timestamps
  ...

How can I fix this?

--
With best regards,
Max Kostikov

W: https://kostikov.co | DeltaChat: m...@eprove.net


--
With best regards,
Max Kostikov

W: https://kostikov.co | DeltaChat: m...@eprove.net

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Tainted filename on DKIM signing in 4.94

[Max Kostikov via Exim-users]

I found one more issue found after upgrade to latest Exim 4.94.
Now this is related to outgoing messages DKIM signing.

Jun  6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 Tainted filename 
'/usr/local/etc/exim/dkim/kostikov.co.key0'
Jun  6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 unable to open file 
for reading: /usr/local/etc/exim/dkim/kostikov.co.key0


In Exim configuration it defined using global variabled at the start of 
transports section


begin transports

  SENDER_DOMAIN = ${if 
def:h_from:{${lc:${domain:${address:$h_from:{$qualify_domain}}

  KEYNAME   = key${eval10:${substr{4}{2}{$tod_logfile}}%2}
  DKIM_FILE = /usr/local/etc/exim/dkim/SENDER_DOMAIN.KEYNAME
  DKIM_DEFAULT  = 
/usr/local/etc/exim/dkim/$qualify_domain.KEYNAME


remote_smtp:
  driver= smtp
  dkim_domain   = SENDER_DOMAIN
  dkim_selector = KEYNAME
  dkim_private_key  = ${if exists{DKIM_FILE}{DKIM_FILE}{}}
  arc_sign  = $primary_hostname : KEYNAME : DKIM_DEFAULT : 
timestamps

  ...

How can I fix this?

--
With best regards,
Max Kostikov

W: https://kostikov.co | DeltaChat: m...@eprove.net

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SQLite Tainted filename for search error

[Max Kostikov via Exim-users]

Thanks!
And what if more than one SQLite database used with Exim?
E.g. I use one DB for users and domains and separate DB for antispam 
data.


Jeremy Harris via Exim-users писал 2020-06-06 01:39:

On 06/06/2020 00:24, Max Kostikov via Exim-users wrote:

2020-06-06 01:02:28 Tainted filename for search:
'/var/db/exim/users.sqlite3'
2020-06-06 01:02:28 failed to expand "${lookup
sqlite{/var/db/exim/users.sqlite3 SELECT domain FROM domain WHERE


http://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsqlite

"The preferred way of specifying the file is by using the sqlite_dbfile
option"


--
With best regards,
Max Kostikov

W: https://kostikov.co | DeltaChat: m...@eprove.net

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/