Re: [exim] Sieve filters broken due to tainted expansions?
Hi!
On Tue, 07 Jan 2020, Jeremy Harris via Exim-users wrote:
> On 07/01/2020 16:47, Tobias Klausmann via Exim-users wrote:
> > # exim -bt klausman-gen...@schwarzvogel.de
> > LOG: MAIN PANIC
> > attempt to expand tainted string '$rheader_From'
> > LOG: MAIN PANIC
> > attempt to expand tainted string '${if def:header_From {true}{false}}'
> > Sieve error: header string expansion failed in line 3
> > klausman-gen...@schwarzvogel.de -> inbox
> > transport = address_file
>
> Raised bug 2506 for this.
> Please say what platform and who built the exim binary.
$ uname -a
Linux skade 5.5.0-rc3 #15 SMP Fri Dec 27 13:10:59 CET 2019 x86_64 Intel(R)
Core(TM) i7-7700 CPU @ 3.60GHz GenuineIntel GNU/Linux
Exim was built on the same machine, using Gentoo's portage.
Adress test with -d+all and full config (I've also attached my
exim.conf):
08:54:49 2563 Exim version 4.93.0.4 uid=1000 gid=1000 pid=2563 D=fff9
Support for: crypteq iconv() IPv6 PAM Perl TCPwrappers OpenSSL
Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PRDR TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch passwd
Authenticators: cram_md5 cyrus_sasl plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [9.2.0]
Library version: Glibc: Compile: 2.30
Runtime: 2.30
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: OpenSSL: Compile: OpenSSL 1.1.1d 10 Sep 2019
Runtime: OpenSSL 1.1.1d 10 Sep 2019
: built on: Tue Dec 3 18:07:39 2019 UTC
Library version: IDN2: Compile: 2.3.0
Runtime: 2.3.0
Library version: Stringprep: Compile: 1.35
Runtime: 1.35
Library version: Cyrus SASL: Compile: 2.1.27
Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.43
Runtime: 8.43 2019-02-23
08:54:49 2563 Total 11 lookups
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
08:54:49 2563 changed uid/gid: -C, -D, -be or -bf forces real uid
08:54:49 2563 uid=1000 gid=1000 pid=2563
08:54:49 2563 auxiliary group list: 10 12 16 35 78 100 110 237 245 249 250
1000
08:54:49 2563 seeking password data for user "root": cache not available
08:54:49 2563 getpwnam() succeeded uid=0 gid=0
08:54:49 2563 tls_validate_require_cipher child 2564 ended: status=0x0
08:54:49 2563 adding PATH=/sbin:/usr/sbin
08:54:49 2563 configuration file is exim.conf
08:54:49 2563 log selectors = 0ffc 99005032 0003
08:54:49 2563 admin user
08:54:49 2563 dropping to exim gid; retaining priv uid
08:54:49 2563 changing group to 12 failed: Operation not permitted
08:54:49 2563 originator: uid=1000 gid=1000 login=klausman name=Tobias
Klausmann
08:54:49 2563 sender address = klaus...@schwarzvogel.de
08:54:49 2563 Address testing: uid=1000 gid=1000 euid=1000 egid=1000
08:54:49 2563
08:54:49 2563 Testing klausman-gen...@schwarzvogel.de
08:54:49 2563
08:54:49 2563 Considering klausman-gen...@schwarzvogel.de
08:54:49 2563 >>>
08:54:49 2563 routing klausman-gen...@schwarzvogel.de
08:54:49 2563 > virtual router <
08:54:49 2563 local_part=klausman-gentoo domain=schwarzvogel.de
08:54:49 2563 checking domains
08:54:49 2563 search_open: dsearch "/etc/exim/virtual"
08:54:49 2563 search_find: file="/etc/exim/virtual"
08:54:49 2563 key="schwarzvogel.de" partial=-1 affix=NULL starflags=0
08:54:49 2563 LRU list:
08:54:49 2563 5/etc/exim/virtual
08:54:49 2563 End
08:54:49 2563 internal_search_find: file="/etc/exim/virtual"
08:54:49 2563 type=dsearch key="schwarzvogel.de"
08:54:49 2563 file lookup required for schwarzvogel.de
08:54:49 2563 in /etc/exim/virtual
08:54:49 2563 lookup failed
08:54:49 2563 schwarzvogel.de in "dsearch;/etc/exim/virtual"? no (end of
list)
08:54:49 2563 virtual router skipped: domains mismatch
08:54:49 2563 > dnslookup router <
08:54:49 2563 local_part=klausman-gentoo domain=schwarzvogel.de
08:54:49 2563 checking domains
08:54:49 2563 schwarzvogel.de in
"schwarzvogel.de:skade.schwarzvogel.de:i-no.de"? yes (matched "schwarzvogel.de")
08:54:49 2563 schwarzvogel.de in "! +local_domains"? no (matched "!
+local_domains")
08:54:49 2563 dnslookup router skipped: domains mismatch
08:54:49 2563 > new_system_aliases router <
Re: [exim] Sieve filters broken due to tainted expansions?
On 07/01/2020 20:20, Michael Haardt via Exim-users wrote:
> This is quite likely an internal expansion from sieve.c:2327. I did
> not really follow the list recently, so I missed the introduction of
> "tainted" expansions, but the code does this:
>
> expand_header(_value,h);
> header_def=expand_string(string_sprintf("${if def:header_%s
> {true}{false}}",quote(h)));
> if (header_value.character == NULL || header_def == NULL)
Yes, I found that location also. But, so far, all the coding
looks ok - and a quick testcase finds no issues.
> That's to expand and check if a header is defined in order to
> compare it with a value. Perhaps there is a better way to do
> that
That depends somewhat on how much modularity we want to maintain
(here, between the sieve-filter code - which is somewhat of an
add-on - and the exim core code. We could, for instance, provide
and use native interfaces for querying headers rather than going
via the expansions facility). But it's not wrong to be using
those expansions IF the strings being expanded as untainted
(obviously the results could be; in fact _will_ be for headers).
Actually, explaining that has made me wonder... where was the
filter script coming from for Tobias' case, and do we consider
that as a trusted source or a tainted one?I'll have a dig
in that direction.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sieve filters broken due to tainted expansions?
> # exim -bt klausman-gen...@schwarzvogel.de
> LOG: MAIN PANIC
> attempt to expand tainted string '$rheader_From'
> LOG: MAIN PANIC
> attempt to expand tainted string '${if def:header_From {true}{false}}'
> Sieve error: header string expansion failed in line 3
This is quite likely an internal expansion from sieve.c:2327. I did
not really follow the list recently, so I missed the introduction of
"tainted" expansions, but the code does this:
expand_header(_value,h);
header_def=expand_string(string_sprintf("${if def:header_%s
{true}{false}}",quote(h)));
if (header_value.character == NULL || header_def == NULL)
That's to expand and check if a header is defined in order to
compare it with a value. Perhaps there is a better way to do
that or a different API should be used now?
Michael
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sieve filters broken due to tainted expansions?
On 07/01/2020 16:47, Tobias Klausmann via Exim-users wrote:
> # exim -bt klausman-gen...@schwarzvogel.de
> LOG: MAIN PANIC
> attempt to expand tainted string '$rheader_From'
> LOG: MAIN PANIC
> attempt to expand tainted string '${if def:header_From {true}{false}}'
> Sieve error: header string expansion failed in line 3
> klausman-gen...@schwarzvogel.de -> inbox
> transport = address_file
Raised bug 2506 for this.
Please say what platform and who built the exim binary.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim maintenance release 4.93.0.4 | branch exim-4.93+fixes
On 07/01/2020 16:59, john via Exim-users wrote: > I assume that this release does not fix the problem I have with tainted > strings when receiving (or failing to) mail from my phone? I'm bemused by your issue, as I said. I can only suggest, as it's a self-build, to remove the definition of TAINT_CHECK_FAST from OS/Makefile-Linux and try that. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sieve filters broken due to tainted expansions?
Hi! On Tue, 07 Jan 2020, Tobias Klausmann via Exim-users wrote: > I'm running exim in this configuration: [...] Same problem with 4.93.0.4. best, Tobias -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim maintenance release 4.93.0.4 | branch exim-4.93+fixes
I assume that this release does not fix the problem I have with tainted strings when receiving (or failing to) mail from my phone? ==John ff -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Sieve filters broken due to tainted expansions?
Hey,
I'm running exim in this configuration:
17:28:39 64561 Exim version 4.93.0.3 uid=0 gid=0 pid=64561 D=fff9
Support for: crypteq iconv() IPv6 PAM Perl TCPwrappers OpenSSL Content_Scanning
DANE DKIM DNSSEC Event I18N OCSP PRDR TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch passwd
Authenticators: cram_md5 cyrus_sasl plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [9.2.0]
Library version: Glibc: Compile: 2.30
Runtime: 2.30
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: OpenSSL: Compile: OpenSSL 1.1.1d 10 Sep 2019
Runtime: OpenSSL 1.1.1d 10 Sep 2019
: built on: Tue Dec 3 18:07:39 2019 UTC
Library version: IDN2: Compile: 2.3.0
Runtime: 2.3.0
Library version: Stringprep: Compile: 1.35
Runtime: 1.35
Library version: Cyrus SASL: Compile: 2.1.27
Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.43
Runtime: 8.43 2019-02-23
I have a special user router setup:
extension_user_delivery_f:
driver = redirect
local_part_suffix = -*
require_files =
/home/$local_part/.mail-extensions:/home/$local_part/.forward
condition =
${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
user=$local_part
check_ancestor
file = /home/$local_part/.forward
allow_filter
allow_fail
verify=false
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
And the top of my .forward looks like this:
# Sieve filter
require ["fileinto", "envelope"];
if header :contains ["From"] ["@someblacklisteddomain"] { discard; stop; }
if header :contains ["From"] ["@antoher junkmailer"] { discard; stop; }
and a .mail-extensions file with this:
-foobar # an extension that is ok, so klausman-foo...@schwarzvogel.de is a
valid destination
This setup has worked well for over a decade. It broke with exim
4.93, with mail being rejected/not deleivered if an extension
address is used. My mainlong is full of:
2020-01-07 17:28:09 1iorSJ-000C9a-83 == klaus...@schwarzvogel.de
R=extension_user_delivery_f defer (-1):
internal problem in extension_user_delivery_f router (recipient is
klausman-gen...@schwarzvogel.de): failure to transfer data from subprocess:
status=0100 readerror='Success'
(very helpful error, that)
During debugging I found this:
# exim -bt klausman-gen...@schwarzvogel.de
LOG: MAIN PANIC
attempt to expand tainted string '$rheader_From'
LOG: MAIN PANIC
attempt to expand tainted string '${if def:header_From {true}{false}}'
Sieve error: header string expansion failed in line 3
klausman-gen...@schwarzvogel.de -> inbox
transport = address_file
I presume "tainted" strings can not be used in Sieve filters
anymore? That would make Sieve entirely pointless, from my POV.
So clearly, I am missing something. What is going on?
Best,
Tobias
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 4.93 Breaks MailScanner - Header File Change?
On 07/01/2020 12:14, Tony Yates via Exim-users wrote: > "Any of the above may have an extra hyphen prepended, to indicate the > the corresponding data is > untrusted." > > The addition of extra hyphens on variables in the '-H' file breaks > MailScanner. If the new behaviour is seen as important can it not at > least be made optional with a new configuration flag? No. The spool file content is not regarded as an exported, stable interface. Mailscanner should not be looking at it, or is at risk of such breakage. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] 4.93 Breaks MailScanner - Header File Change?
Hi, Per page 493 of the current spec: "Any of the above may have an extra hyphen prepended, to indicate the the corresponding data is untrusted." The addition of extra hyphens on variables in the '-H' file breaks MailScanner. If the new behaviour is seen as important can it not at least be made optional with a new configuration flag? Thanks. Regards, Tony.. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
