On 6/29/20 12:18 PM, Kurt Jaeger via Exim-users wrote:
> One thing I'll test is if we hand values over to perl, maybe
> we'll get back untainted value...
>
> Or did me beat someone to that already ? 8-}
I did not test that, I would imagine that should work because how would
it really know what
Evgeniy Berdnikov via Exim-users wrote:
> On Mon, Jun 29, 2020 at 09:12:23AM +0200, Michael Haardt via Exim-users wrote:
> > Partially dsearch does that by not allowing "." and ".." as keys.
>
> It's pity, but it does... See thread
>
Matthias Hörmann wrote:
> Why not use a simple whitelist string replacement? All characters but
> some known valid characters (say [a-zA-Z0-9_.-]) are replaced with a
> known valid character (say _)? We use that in puppet all the time to
> generate paths. As long as you disallow slashes you
On 29/06/2020 04:57, Robert Blayzor via Exim-users wrote:
> The router hitting:
>
> local_aliases:
> driver = redirect
> allow_fail = true
> allow_defer = true
+ local_parts =
${lookup{$local_part}wildlsearch,ret=key{/opt/etc/exim/aliases}
> data =
Hi!
> That fact that string sub-sitution and matching parts don't even work
> now is a real problem...
>
> data = ${expand:"|/command -c ${if match
> {$local_part}{.*foo[\-\+]([a-z0-9]+).*}{$1}{}}"}
One thing I'll test is if we hand values over to perl, maybe
we'll get back untainted
That fact that string sub-sitution and matching parts don't even work
now is a real problem...
data = ${expand:"|/command -c ${if match
{$local_part}{.*foo[\-\+]([a-z0-9]+).*}{$1}{}}"}
Won't even work because matching only numbers and letters is still
considered "tainted".
Forcing
Why can't a string be considered "de-tainted" if you run it through
string substitution
Why is this still invalid?
sms_gateway:
driver = redirect
allow_fail = true
allow_defer = true
data = ${expand:"|SMS_CMD -c ${sg{$local_part}{^foo\+(\d+)}{\$1}}"}
file_transport = address_file
For webmail, implement TOTP.
If you allow client access (Submission, IMAP etc) from outside, then:
Either restrict to internal network only, or require VPN.
== OR ==
Best would be to use GeoIP to, on first login, lock the account to the GeoIP
country the current IP has.
That would severely
Its better to have it always return, but with any "dangerous" characters
stripped instead.
Originalmeddelande Från: Michael Haardt via Exim-users
Datum: 2020-06-29 09:17 (GMT+01:00) Till:
exim-users@exim.org Ämne: Re: [exim] 4.94 - De-tainting without lookup?
Matthias
On Mon, Jun 29, 2020 at 09:12:23AM +0200, Michael Haardt via Exim-users wrote:
> Partially dsearch does that by not allowing "." and ".." as keys.
It's pity, but it does... See thread
https://lists.exim.org/lurker/thread/20200625.134349.ed703108.en.html
> A lookup either returns data or fails,
Why not use a simple whitelist string replacement? All characters but
some known valid characters (say [a-zA-Z0-9_.-]) are replaced with a
known valid character (say _)? We use that in puppet all the time to
generate paths. As long as you disallow slashes you don't even have to
worry about ..
Matthias Hörmann via Exim-users wrote:
> This essentially gets me back to where I started. I *want* any domains
> and local parts to be created as part of this process. I can live with
> the case where it won't create paths with dangerous characters (that
> never happened on dozens of servers in
Hello
This essentially gets me back to where I started. I *want* any domains
and local parts to be created as part of this process. I can live with
the case where it won't create paths with dangerous characters (that
never happened on dozens of servers in years of using this config,
possibly
13 matches
Mail list logo
