Re: [exim] $dnslist_domain tainted
On 17/11/2022 19:10, Jeremy Harris via Exim-users wrote:
On 17/11/2022 16:36, Martin Clayton via Exim-users wrote:
So, sorry to be a tainted dummy, but I'm still left wondering how to
deal with this.
{exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item
The filename there is built from a directory path which is not tainted,
and a filename which is. This is a standard pattern for detainting
using a dsearch lookup
> [...] docs [...]
So, use a ${lookup {tainted_thing} dsearch {untainted_path} {found}
{not_found}}.
Huge thanks for the direction and clarity. I'm sure I can now get the
new machine purring. I'm usually fairly good with docs and find exim4
particularly 'tight' (in a good way), sometimes, 'intense'. ;) Normally,
it's battling with syntax but this one feels more like policy and I lost
the way. 'Taint easy but one day I'll have a better grip on the
fundamentals and the blindingly obvious will be visible -- although, I
can see how that could go wrong :)
I'm looking at such a small part of exim, how you/team keep the whole
project together is simply amazing.
Thanks!
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 17/11/2022 16:36, Martin Clayton via Exim-users wrote:
So, sorry to be a tainted dummy, but I'm still left wondering how to deal with
this.
Look at your line:
{exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item
The filename there is built from a directory path which is not tainted,
and a filename which is. This is a standard pattern for detainting
using a dsearch lookup - which as a bonus does the equivalent of "exists"
also. As the docs say (file & database lookups chapter, on dsearch)
"If lstat() succeeds then so does the lookup. The result is regarded as
untainted."
So, use a ${lookup {tainted_thing} dsearch {untainted_path} {found}
{not_found}}.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 17/11/2022 15:12, Martin Clayton wrote: On 17/11/2022 13:49, Jeremy Harris via Exim-users wrote: On 16/11/2022 14:06, Martin Clayton via Exim-users wrote: Removing the rhsbl services (i.e, $sender_address_domain) and all is well. [...] dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain because it uses $sender_address_domain (which is tainted), taints the entire string Ah, so it's unexpectedly expected behaviour ;) So, sorry to be a tainted dummy, but I'm still left wondering how to deal with this. The dns query runs without issue, log messages, etc, all good. It's only the $dnslist_domain based file lookup to define the action to take. It sounds like dnslists using rhsbl services have to be tainted. (I'm assuming that attempting to detaint $sender_address_domain isn't sensible when it could legitimately be anything protocol-valid). So, can $dnslist_domain be detainted? We know it lives in a pre-defined list. The parent (dnslists) may be tainted but the child is reliable, innocent and completely immune to anything in $sender_address_domain Rabbit holes :) Cheers, Martin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
Removing the rhsbl services (i.e, $sender_address_domain) and all is well.
Looks like I guessed wrong. I'm wondering why this taint error isn't widespread
-- could it be $filter/exists specific?
Aha! (otherwise pronounced "Doh!")...
This item:
dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
because it uses $sender_address_domain (which is tainted), taints the entire
string
that is the list for ${filter...} (because string-expansion is done before
list-expansion).
Therefore every $item for the filter is tainted, and so the filtered result
list is also.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
Hi Jeremy
And thanks.
On 16/11/2022 22:16, Jeremy Harris via Exim-users wrote:
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
Moving an old system to exim 4.94.2 I'm hitting a taint error with
$dnslist_domain. That's a bit surprising as it's 100% internally
defined -- there's nothing the outside world can do to change its
possible values.
I'm not immediately seeing it either.
If you set up a test using -d+expand and -bh
is the value for $acl_m_dnslist1 tainted at the point it gets expanded
for the dnslists= ACL condition?
Very handy and, yes, at first mention of the filter (showing the full
list)...
considering: ${filter{
b.barracudacentral.org
: hostkarma.junkemailfilter.com=127.0.0.2
: truncate.gbudb.net
: bl.spamcop.net
: dnsbl.sorbs.net
: all.s5h.net
: all.bl.blocklist.de
: all.spamrats.com
: dyna.spamrats.com
: noptr.spamrats.com
: spam.spamrats.com
: bl.mailspike.net
: dnsbl.dronebl.org
: sbl.spamdown.org
: bl.nordspam.com==127.0.0.2
: dnsbl.justspam.org
: dnsrbl.org
: bl.mxrbl.com
: dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
: hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain
: multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/$sender_address_domain
: rhsbl.sorbs.net/$sender_address_domain
: dbl.nordspam.com==127.0.0.2/$sender_address_domain
} {exists{/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item }
[...]
╰─result:
b.barracudacentral.org
: hostkarma.junkemailfilter.com=127.0.0.2
: truncate.gbudb.net
: bl.spamcop.net
: dnsbl.sorbs.net
: all.s5h.net
: all.bl.blocklist.de
: all.spamrats.com
: dyna.spamrats.com
: noptr.spamrats.com
: spam.spamrats.com
: bl.mailspike.net
: dnsbl.dronebl.org
: sbl.spamdown.org
: bl.nordspam.com==127.0.0.2
: dnsbl.justspam.org
: dnsrbl.org
: bl.mxrbl.com
: dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/example.com
: hostkarma.junkemailfilter.com=127.0.0.2/example.com
: multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/example.com
: rhsbl.sorbs.net/example.com
: dbl.nordspam.com==127.0.0.2/example.com
╰──(tainted)
... and every item in the list (used or not) is considered tainted;
filter: $item = 'b.barracudacentral.org' $value = 'NULL'
╭considering:
/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item
}
╭considering: 1}{=!&/}{$item}{$value}{$item }
├──expanding: 1
╰─result: 1
╭considering: =!&/}{$item}{$value}{$item }
├──expanding: =!&/
╰─result: =!&/
╭considering: $item}{$value}{$item }
├──expanding: $item
╰─result: b.barracudacentral.org
╰──(tainted)
Removing the rhsbl services (i.e, $sender_address_domain) and all is well.
Looks like I guessed wrong. I'm wondering why this taint error isn't
widespread -- could it be $filter/exists specific? I wont guess this
time ;)
Cheers,
Martin
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $dnslist_domain tainted
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote: Moving an old system to exim 4.94.2 I'm hitting a taint error with $dnslist_domain. That's a bit surprising as it's 100% internally defined -- there's nothing the outside world can do to change its possible values. I'm not immediately seeing it either. If you set up a test using -d+expand and -bh is the value for $acl_m_dnslist1 tainted at the point it gets expanded for the dnslists= ACL condition? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
