Re: [exim] $dnslist_domain tainted
On 17/11/2022 19:10, Jeremy Harris via Exim-users wrote: On 17/11/2022 16:36, Martin Clayton via Exim-users wrote: So, sorry to be a tainted dummy, but I'm still left wondering how to deal with this. {exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item The filename there is built from a directory path which is not tainted, and a filename which is. This is a standard pattern for detainting using a dsearch lookup > [...] docs [...] So, use a ${lookup {tainted_thing} dsearch {untainted_path} {found} {not_found}}. Huge thanks for the direction and clarity. I'm sure I can now get the new machine purring. I'm usually fairly good with docs and find exim4 particularly 'tight' (in a good way), sometimes, 'intense'. ;) Normally, it's battling with syntax but this one feels more like policy and I lost the way. 'Taint easy but one day I'll have a better grip on the fundamentals and the blindingly obvious will be visible -- although, I can see how that could go wrong :) I'm looking at such a small part of exim, how you/team keep the whole project together is simply amazing. Thanks! -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 17/11/2022 16:36, Martin Clayton via Exim-users wrote: So, sorry to be a tainted dummy, but I'm still left wondering how to deal with this. Look at your line: {exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item The filename there is built from a directory path which is not tainted, and a filename which is. This is a standard pattern for detainting using a dsearch lookup - which as a bonus does the equivalent of "exists" also. As the docs say (file & database lookups chapter, on dsearch) "If lstat() succeeds then so does the lookup. The result is regarded as untainted." So, use a ${lookup {tainted_thing} dsearch {untainted_path} {found} {not_found}}. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 17/11/2022 15:12, Martin Clayton wrote: On 17/11/2022 13:49, Jeremy Harris via Exim-users wrote: On 16/11/2022 14:06, Martin Clayton via Exim-users wrote: Removing the rhsbl services (i.e, $sender_address_domain) and all is well. [...] dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain because it uses $sender_address_domain (which is tainted), taints the entire string Ah, so it's unexpectedly expected behaviour ;) So, sorry to be a tainted dummy, but I'm still left wondering how to deal with this. The dns query runs without issue, log messages, etc, all good. It's only the $dnslist_domain based file lookup to define the action to take. It sounds like dnslists using rhsbl services have to be tainted. (I'm assuming that attempting to detaint $sender_address_domain isn't sensible when it could legitimately be anything protocol-valid). So, can $dnslist_domain be detainted? We know it lives in a pre-defined list. The parent (dnslists) may be tainted but the child is reliable, innocent and completely immune to anything in $sender_address_domain Rabbit holes :) Cheers, Martin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote: Removing the rhsbl services (i.e, $sender_address_domain) and all is well. Looks like I guessed wrong. I'm wondering why this taint error isn't widespread -- could it be $filter/exists specific? Aha! (otherwise pronounced "Doh!")... This item: dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain because it uses $sender_address_domain (which is tainted), taints the entire string that is the list for ${filter...} (because string-expansion is done before list-expansion). Therefore every $item for the filter is tainted, and so the filtered result list is also. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
Hi Jeremy And thanks. On 16/11/2022 22:16, Jeremy Harris via Exim-users wrote: On 16/11/2022 14:06, Martin Clayton via Exim-users wrote: Moving an old system to exim 4.94.2 I'm hitting a taint error with $dnslist_domain. That's a bit surprising as it's 100% internally defined -- there's nothing the outside world can do to change its possible values. I'm not immediately seeing it either. If you set up a test using -d+expand and -bh is the value for $acl_m_dnslist1 tainted at the point it gets expanded for the dnslists= ACL condition? Very handy and, yes, at first mention of the filter (showing the full list)... considering: ${filter{ b.barracudacentral.org : hostkarma.junkemailfilter.com=127.0.0.2 : truncate.gbudb.net : bl.spamcop.net : dnsbl.sorbs.net : all.s5h.net : all.bl.blocklist.de : all.spamrats.com : dyna.spamrats.com : noptr.spamrats.com : spam.spamrats.com : bl.mailspike.net : dnsbl.dronebl.org : sbl.spamdown.org : bl.nordspam.com==127.0.0.2 : dnsbl.justspam.org : dnsrbl.org : bl.mxrbl.com : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain : hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/$sender_address_domain : rhsbl.sorbs.net/$sender_address_domain : dbl.nordspam.com==127.0.0.2/$sender_address_domain } {exists{/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item } [...] ╰─result: b.barracudacentral.org : hostkarma.junkemailfilter.com=127.0.0.2 : truncate.gbudb.net : bl.spamcop.net : dnsbl.sorbs.net : all.s5h.net : all.bl.blocklist.de : all.spamrats.com : dyna.spamrats.com : noptr.spamrats.com : spam.spamrats.com : bl.mailspike.net : dnsbl.dronebl.org : sbl.spamdown.org : bl.nordspam.com==127.0.0.2 : dnsbl.justspam.org : dnsrbl.org : bl.mxrbl.com : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/example.com : hostkarma.junkemailfilter.com=127.0.0.2/example.com : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/example.com : rhsbl.sorbs.net/example.com : dbl.nordspam.com==127.0.0.2/example.com ╰──(tainted) ... and every item in the list (used or not) is considered tainted; filter: $item = 'b.barracudacentral.org' $value = 'NULL' ╭considering: /srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item } ╭considering: 1}{=!&/}{$item}{$value}{$item } ├──expanding: 1 ╰─result: 1 ╭considering: =!&/}{$item}{$value}{$item } ├──expanding: =!&/ ╰─result: =!&/ ╭considering: $item}{$value}{$item } ├──expanding: $item ╰─result: b.barracudacentral.org ╰──(tainted) Removing the rhsbl services (i.e, $sender_address_domain) and all is well. Looks like I guessed wrong. I'm wondering why this taint error isn't widespread -- could it be $filter/exists specific? I wont guess this time ;) Cheers, Martin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote: Moving an old system to exim 4.94.2 I'm hitting a taint error with $dnslist_domain. That's a bit surprising as it's 100% internally defined -- there's nothing the outside world can do to change its possible values. I'm not immediately seeing it either. If you set up a test using -d+expand and -bh is the value for $acl_m_dnslist1 tainted at the point it gets expanded for the dnslists= ACL condition? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/