Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Helo Thanks for response, I add CFLAGS += -std=gnu99 and LDFLAGS=-lrt to Makefile and build successfuly ! Regards - Original Message - From: "Victor Ustugov via Exim-users" To: "Victor Ustugov via Exim-users" Sent: Wednesday, May 5, 2021 6:50 PM Subject: Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released) Victor Ustugov via Exim-users wrote on 05.05.2021 17:14: Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: I'd just refuse to create a bloated 4.94+fixes, instead of releasing 4.95 as soon as possible. Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? I built exim 4.94.2 with patch https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch As I remember patch for exim 4.94 based on: https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb This one isn't related to the file= feture As far as I remember I could not build exim 4.94 with 4a7dca52352d0976f200b89a50825433b7551554 and b8514d1960e259d49ab2c84c89eba52ab993da3f without 44644c2e404a3ea0191db0b0458e86924fb240bb These both I located too and "backported" to 4.94.2 (as did too, probably): https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f See the attached patches. Thanks. I'll try to build exim with these patches today evening. Heiko, I took a look to your patches. Except for the files related to documentation and tests, our patches are identical. So no need to rebuild exim and check patches again. Thank you again. @Odhiambo: as it seems you're building your own version of Exim, we recommend you the patches from Victor or my (attached). Currently we do not plan to do the backport officially, because we'll start working to release 4.95 as soon as possible. -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users wrote on 05.05.2021 17:14: > Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: >> I'd just refuse to create a bloated 4.94+fixes, instead of releasing >> 4.95 as soon as possible. > > Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? >>> >>> I built exim 4.94.2 with patch >>> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch >>> >>> As I remember patch for exim 4.94 based on: >>> >>> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb >> This one isn't related to the file= feture > > As far as I remember I could not build exim 4.94 with > 4a7dca52352d0976f200b89a50825433b7551554 and > b8514d1960e259d49ab2c84c89eba52ab993da3f without > 44644c2e404a3ea0191db0b0458e86924fb240bb > > >> These both I located too and "backported" to 4.94.2 (as did too, >> probably): >>> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 >>> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f >> >> See the attached patches. > > Thanks. I'll try to build exim with these patches today evening. Heiko, I took a look to your patches. Except for the files related to documentation and tests, our patches are identical. So no need to rebuild exim and check patches again. Thank you again. >> @Odhiambo: as it seems you're building your own version of Exim, we >> recommend you the patches from Victor or my (attached). Currently we do >> not plan to do the backport officially, because we'll start working >> to release 4.95 as soon as possible. > > -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 14:48:20 > CEST): >> Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57: >>> Victor Ustugov via Exim-users (Mi 05 Mai 2021 >>> 13:21:55 CEST): > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > 4.95 as soon as possible. Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). >>> >>> What did you do? >> >> I built exim 4.94.2 with patch >> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch >> >> As I remember patch for exim 4.94 based on: >> >> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb > This one isn't related to the file= feture As far as I remember I could not build exim 4.94 with 4a7dca52352d0976f200b89a50825433b7551554 and b8514d1960e259d49ab2c84c89eba52ab993da3f without 44644c2e404a3ea0191db0b0458e86924fb240bb > These both I located too and "backported" to 4.94.2 (as did too, > probably): >> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 >> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f > > See the attached patches. Thanks. I'll try to build exim with these patches today evening. > @Odhiambo: as it seems you're building your own version of Exim, we > recommend you the patches from Victor or my (attached). Currently we do > not plan to do the backport officially, because we'll start working > to release 4.95 as soon as possible. -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 14:48:20
CEST):
> Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57:
> > Victor Ustugov via Exim-users (Mi 05 Mai 2021
> > 13:21:55 CEST):
> >>> I'd just refuse to create a bloated 4.94+fixes, instead of releasing
> >>> 4.95 as soon as possible.
> >>
> >> Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit.
> >> It works as expected on FreeBSD (exim 4.94.2 from ports with my patches)
> >> and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches).
> >
> > What did you do?
>
> I built exim 4.94.2 with patch
> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch
>
> As I remember patch for exim 4.94 based on:
>
> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb
This one isn't related to the file= feture
These both I located too and "backported" to 4.94.2 (as did too,
probably):
> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554
> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f
See the attached patches.
@Odhiambo: as it seems you're building your own version of Exim, we
recommend you the patches from Victor or my (attached). Currently we do
not plan to do the backport officially, because we'll start working
to release 4.95 as soon as possible.
--
Heiko
From 7ecb8213b1c9a6d9db1886d54cce8a60c5b0b55a Mon Sep 17 00:00:00 2001
From: Jeremy Harris
Date: Sat, 6 Jun 2020 14:45:47 +0100
Subject: [PATCH 1/2] Refactor lookup argument shuffling
(cherry picked from commit 4a7dca52352d0976f200b89a50825433b7551554)
---
src/src/expand.c| 20 +++-
src/src/functions.h | 1 +
src/src/match.c | 17 +
src/src/search.c| 36
4 files changed, 41 insertions(+), 33 deletions(-)
diff --git a/src/src/expand.c b/src/src/expand.c
index 05de94c49..ad9f54402 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -4391,7 +4391,7 @@ if (is_tainted(string))
goto EXPAND_FAILED;
}
-while (*s != 0)
+while (*s)
{
uschar *value;
uschar name[256];
@@ -4777,7 +4777,7 @@ while (*s != 0)
int save_expand_nmax =
save_expand_strings(save_expand_nstring, save_expand_nlength);
- if ((expand_forbid & RDO_LOOKUP) != 0)
+ if (expand_forbid & RDO_LOOKUP)
{
expand_string_message = US"lookup expansions are not permitted";
goto EXPAND_FAILED;
@@ -4876,21 +4876,7 @@ while (*s != 0)
file types, the query (i.e. "key") starts with a file name. */
if (!key)
-{
- Uskip_whitespace();
-key = filename;
-
-if (mac_islookup(stype, lookup_querystyle))
- filename = NULL;
-else
- if (*filename == '/')
- {
- while (*key && !isspace(*key)) key++;
- if (*key) *key++ = '\0';
- }
- else
- filename = NULL;
-}
+ key = search_args(stype, name, filename, );
/* If skipping, don't do the next bit - just lookup_value == NULL, as if
the entry was not found. Note that there is no search_close() function.
diff --git a/src/src/functions.h b/src/src/functions.h
index e22fd4f99..a4914b730 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -448,6 +448,7 @@ extern voidroute_init(void);
extern gstring * route_show_supported(gstring *);
extern voidroute_tidyup(void);
+extern uschar *search_args(int, uschar *, uschar *, uschar **);
extern uschar *search_find(void *, const uschar *, uschar *, int,
const uschar *, int, int, int *, const uschar *);
extern int search_findtype(const uschar *, int);
diff --git a/src/src/match.c b/src/src/match.c
index dfb4b5148..eb8315b46 100644
--- a/src/src/match.c
+++ b/src/src/match.c
@@ -286,22 +286,7 @@ if (!cb->use_partial) partial = -1;
/* Set the parameters for the three different kinds of lookup. */
-keyquery = semicolon + 1;
-Uskip_whitespace();
-
-if (mac_islookup(search_type, lookup_absfilequery))
- {
- filename = keyquery;
- while (*keyquery && !isspace(*keyquery)) keyquery++;
- filename = string_copyn(filename, keyquery - filename);
- Uskip_whitespace();
- }
-
-else if (!mac_islookup(search_type, lookup_querystyle))
- {
- filename = keyquery;
- keyquery = s;
- }
+keyquery = search_args(search_type, s, semicolon+1, );
/* Now do the actual lookup; throw away the data returned unless it was asked
for; partial matching is all handled inside search_find(). Note that there is
diff --git a/src/src/search.c b/src/src/search.c
index f8aaacb04..125dd1c48 100644
--- a/src/src/search.c
+++ b/src/src/search.c
@@ -217,6 +217,42 @@ return stype;
}
+/* Set the parameters for the three different kinds of lookup.
+Arguments:
+ search_type the search-type code
+ search the search-type string
+ query argument for the search; filename or query
+ fnamep pointer to return
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57:
> Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55
> CEST):
>>> I'd just refuse to create a bloated 4.94+fixes, instead of releasing
>>> 4.95 as soon as possible.
>>
>> Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit.
>> It works as expected on FreeBSD (exim 4.94.2 from ports with my patches)
>> and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches).
>
> What did you do?
I built exim 4.94.2 with patch
https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch
As I remember patch for exim 4.94 based on:
https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb
https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554
https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f
Later I ported patch for exim 4.94+fixes.
# exim -be '${lookup sqlite,file=/var/spool/exim/db/access.db{SELECT
sender FROM awl WHERE sender="${quote_sqlite:exim-users@exim.org}";}}'
exim-users@exim.org
> I just cherry-picked the mentioned commit
> 4a7dca52352d0976f200b89a50825433b7551554
>
> But the error didn't disappear. I'll check in more detail now.
>
>
--
Best wishes
Victor Ustugovmailto:vic...@corvax.kiev.ua
Skype ID: corvax_nb JID: vic...@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 14:04:10 CEST):
> > What did you do? I just cherry-picked the mentioned commit
> > 4a7dca52352d0976f200b89a50825433b7551554
> >
> > But the error didn't disappear. I'll check in more detail now.
>
> seems to be relevant too:
> b8514d1960e259d49ab2c84c89eba52ab993da3f
Yes, then it behaves as expected, but serveral conflicts I get in the
for the docbook-source.
Question now is, if we want to "officially" backport these fixes. I'll
ask Jeremy.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 CEST): > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > 4.95 as soon as possible. > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? I just cherry-picked the mentioned commit 4a7dca52352d0976f200b89a50825433b7551554 But the error didn't disappear. I'll check in more detail now. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 13:57:32 CEST): > Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 > CEST): > > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > > 4.95 as soon as possible. > > > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). > > What did you do? I just cherry-picked the mentioned commit > 4a7dca52352d0976f200b89a50825433b7551554 > > But the error didn't disappear. I'll check in more detail now. seems to be relevant too: b8514d1960e259d49ab2c84c89eba52ab993da3f -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 01:39: > Jeremy Harris via Exim-users (Mi 05 Mai 2021 00:11:59 > CEST): >> Having made me go and look... that is what I did, in b8514d1960 >> (which is since 4.94). A comma-sep option "file=/foo" after >> the word "sqlite". > > Yes, that's what I found. But I can't see this neither in 4.94, or > 4.94+fixes. > > @Victor: Yes, the commit *can* be backported, but first I'd like to > understand how this syntax worked for Odhiambo with 4.94. It's depend on now Odhiambo built exim. > And I do not want to drop the support for queries do different SQLite > databases, but again - I'd like to understand why Odhiambo sees this > working with 4.94. > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > 4.95 as soon as possible. Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). @Odhiambo: try this patch. https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch This is minimalistic variant of Jeremy's code adapted for exim 4.94+fixes and exim 4.94.2 -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Jeremy Harris via Exim-users (Mi 05 Mai 2021 00:11:59 CEST): > Having made me go and look... that is what I did, in b8514d1960 > (which is since 4.94). A comma-sep option "file=/foo" after > the word "sqlite". Yes, that's what I found. But I can't see this neither in 4.94, or 4.94+fixes. @Victor: Yes, the commit *can* be backported, but first I'd like to understand how this syntax worked for Odhiambo with 4.94. And I do not want to drop the support for queries do different SQLite databases, but again - I'd like to understand why Odhiambo sees this working with 4.94. I'd just refuse to create a bloated 4.94+fixes, instead of releasing 4.95 as soon as possible. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
On 04/05/2021 22:33, Evgeniy Berdnikov via Exim-users wrote:
On Tue, May 04, 2021 at 08:39:43PM +0100, Jeremy Harris via Exim-users wrote:
On 04/05/2021 20:10, Victor Ustugov via Exim-users wrote:
Why? Many years it was possible to execute queries to different SQLite
databases. Why do you want to drop this feathure?
The syntax doesn't fit being able to check for tainted data being used.
Why? It sounds strange that *syntax* influences such operational details
as presense of tainting checks.
We need to invent some new syntax in order to re-enable the
facility, and nobody has done that yet.
What's the problem? Write down requirements and somebody will invent. :)
Let's recall how parameters for LDAP queries are passed:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECID70
If this is acceptable, why similar syntax could not be used for SQLite?
${lookup sqlite{FILE=/path/to/file }..}
But in my opinion, passing file name as option
${lookup sqlite,file=/path/to/file {..}..}
is more pleasant to read.
Having made me go and look... that is what I did, in b8514d1960
(which is since 4.94). A comma-sep option "file=/foo" after
the word "sqlite".
What I was remembering, and describing above, was the 4.94
situation.
The problems with the old-style syntax, with a bare filename
whitespace-sep prefixing the initial SQL word (eg. /foo/bar select...)
were
- not very clearly defined syntactic separation
- support for embedded spaces in filename
- existing parse code handled the entire { } lump
as a unit, and taint checking was only convenient on that unit
(and we want to taint-check that failname, if there is one)
I was wrong about "nobody has done that yet".
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
On Tue, May 04, 2021 at 08:39:43PM +0100, Jeremy Harris via Exim-users wrote:
> On 04/05/2021 20:10, Victor Ustugov via Exim-users wrote:
> > Why? Many years it was possible to execute queries to different SQLite
> > databases. Why do you want to drop this feathure?
>
> The syntax doesn't fit being able to check for tainted data being used.
Why? It sounds strange that *syntax* influences such operational details
as presense of tainting checks.
> We need to invent some new syntax in order to re-enable the
> facility, and nobody has done that yet.
What's the problem? Write down requirements and somebody will invent. :)
Let's recall how parameters for LDAP queries are passed:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECID70
If this is acceptable, why similar syntax could not be used for SQLite?
${lookup sqlite{FILE=/path/to/file }..}
But in my opinion, passing file name as option
${lookup sqlite,file=/path/to/file {..}..}
is more pleasant to read.
--
Eugene Berdnikov
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
On 04/05/2021 20:10, Victor Ustugov via Exim-users wrote: Why? Many years it was possible to execute queries to different SQLite databases. Why do you want to drop this feathure? The syntax doesn't fit being able to check for tainted data being used. We need to invent some new syntax in order to re-enable the facility, and nobody has done that yet. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 04.05.2021 20:34: >>> I cannot find any reference to the syntax you're using. >>> Maybe I'm stupid. >> >> https://lists.exim.org/lurker/message/20200606.183617.325a7016.en.html >> >> https://git.exim.org/exim.git/commitdiff/b8514d1960e259d49ab2c84c89eba52ab993da3f?hp=4a7dca52352d0976f200b89a50825433b7551554 > > Thank you for spotting this. > > This commit isn't in 4.94, so it is not part of 4.94+fixes and the > current security release. I'm not sure how it could work for the OPs > version (the OP stated that 4.94 worked, while 4.94.2 doesn't). This commit works fine with both 4.94 and 4.94+fixes. > While we can cherry-pick that commit, I'm not sure, if we really want > it, Why? Many years it was possible to execute queries to different SQLite databases. Why do you want to drop this feathure? > until we know how it made its way into the OP's 4.94. Ask Jeremy. He is an author. -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Hi Victor,
Victor "Ustugov" via Exim-users (Di 04 Mai 2021 18:54:09
CEST):
> > I cannot find any reference to the syntax you're using.
> > Maybe I'm stupid.
>
> https://lists.exim.org/lurker/message/20200606.183617.325a7016.en.html
>
> https://git.exim.org/exim.git/commitdiff/b8514d1960e259d49ab2c84c89eba52ab993da3f?hp=4a7dca52352d0976f200b89a50825433b7551554
Thank you for spotting this.
This commit isn't in 4.94, so it is not part of 4.94+fixes and the
current security release. I'm not sure how it could work for the OPs
version (the OP stated that 4.94 worked, while 4.94.2 doesn't).
While we can cherry-pick that commit, I'm not sure, if we really want
it, until we know how it made its way into the OP's 4.94.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 04.05.2021 19:29:
> Heiko Schlittermann via Exim-users (Di 04 Mai 2021
> 17:44:23 CEST):
>> Odhiambo Washington via Exim-users (Di 04 Mai 2021
>> 17:00:36 CEST):
>>> On Tue, May 4, 2021 at 4:52 PM Heiko Schlittermann via Exim-users <
>>> temporarily rejected after DATA: failed to expand ACL string "${lookup
>>> sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders
>>> WHERE helo='${quote_sqlite:$sender_helo_name}' AND
>>> host='$sender_host_address';} {1}}": absolute file name expected for
>>> "sqlite" lookup
>>
>> I'm checking it. Give me a minute.
>> --
>> Heiko
>
> Is there any chance setting the global sqlite_dbfile option?
>
> According to the spec file
>
> 9.26 More about SQLite
> --
>
> SQLite is different to the other SQL lookups because a filename is
> required in
> addition to the SQL query. An SQLite database is a single file, and there
> is no
> daemon as in the other SQL databases.
>
> The preferred way of specifying the file is by using the sqlite_dbfile
> option,
> set to an absolute path.
>
> A deprecated method is available, prefixing the query with the filename
> separated by white space. This means that the path name cannot contain
> white
> space. It also means that the query cannot use any tainted values, as that
> taints the entire query including the filename - resulting in a refusal
> to open
> the file.
>
> Here is a lookup expansion example:
>
> sqlite_dbfile = /some/thing/sqlitedb
> ...
> ${lookup sqlite {select name from aliases where id='userx';}}
>
>
> I cannot find any reference to the syntax you're using.
> Maybe I'm stupid.
https://lists.exim.org/lurker/message/20200606.183617.325a7016.en.html
https://git.exim.org/exim.git/commitdiff/b8514d1960e259d49ab2c84c89eba52ab993da3f?hp=4a7dca52352d0976f200b89a50825433b7551554
+There are two ways of
+specifying the file.
+The first is is by using the &%sqlite_dbfile%& main option.
+The second, which allows separate files for each query,
+is to use an option appended, comma-separated, to the &"sqlite"&
+lookup type word. The option is the word &"file"&, then an equals,
+then the filename.
+The filename in this case cannot contain whitespace or open-brace
charachters.
+.wen
> ${lookup
> sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders
> WHERE helo='${quote_sqlite:$sender_helo_name}' AND
> host='$sender_host_address';} {1}}
>
>
>
--
Best wishes
Victor Ustugovmailto:vic...@corvax.kiev.ua
Skype ID: corvax_nb JID: vic...@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users (Di 04 Mai 2021
17:44:23 CEST):
> Odhiambo Washington via Exim-users (Di 04 Mai 2021
> 17:00:36 CEST):
> > On Tue, May 4, 2021 at 4:52 PM Heiko Schlittermann via Exim-users <
> > temporarily rejected after DATA: failed to expand ACL string "${lookup
> > sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders
> > WHERE helo='${quote_sqlite:$sender_helo_name}' AND
> > host='$sender_host_address';} {1}}": absolute file name expected for
> > "sqlite" lookup
>
> I'm checking it. Give me a minute.
> --
> Heiko
Is there any chance setting the global sqlite_dbfile option?
According to the spec file
9.26 More about SQLite
--
SQLite is different to the other SQL lookups because a filename is required
in
addition to the SQL query. An SQLite database is a single file, and there
is no
daemon as in the other SQL databases.
The preferred way of specifying the file is by using the sqlite_dbfile
option,
set to an absolute path.
A deprecated method is available, prefixing the query with the filename
separated by white space. This means that the path name cannot contain white
space. It also means that the query cannot use any tainted values, as that
taints the entire query including the filename - resulting in a refusal to
open
the file.
Here is a lookup expansion example:
sqlite_dbfile = /some/thing/sqlitedb
...
${lookup sqlite {select name from aliases where id='userx';}}
I cannot find any reference to the syntax you're using.
Maybe I'm stupid.
${lookup
sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders
WHERE helo='${quote_sqlite:$sender_helo_name}' AND
host='$sender_host_address';} {1}}
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Odhiambo Washington via Exim-users (Di 04 Mai 2021
17:00:36 CEST):
> On Tue, May 4, 2021 at 4:52 PM Heiko Schlittermann via Exim-users <
> temporarily rejected after DATA: failed to expand ACL string "${lookup
> sqlite,file=/var/spool/exim/db/greylist.db {SELECT host from resenders
> WHERE helo='${quote_sqlite:$sender_helo_name}' AND
> host='$sender_host_address';} {1}}": absolute file name expected for
> "sqlite" lookup
I'm checking it. Give me a minute.
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
