On Sat, 12 Jun 2021, Jasen Betts via Exim-dev wrote:
I'm wanting to be able to use expansion variables in the servers=
parameter of query-style lookups.
I can use variables if I put servers= inside the query, but if
servers= is used there I can't use tainted variables in the query.
I crawled around looking at the source code trying to
backtrace to the caller code and finally came up with this patch:
--- a/build/exim/src/lookups/lf_sqlperform.c
+++ b/build/exim/src/lookups/lf_sqlperform.c
@@ -129,7 +129,7 @@ else
uschar * ele;
for (int sep = ','; ele = string_nextinlist(&opts, &sep, NULL, 0); )
if (Ustrncmp(ele, "servers=", 8) == 0)
- { serverlist = ele + 8; break; }
+ { serverlist = expand_string( ele + 8 ); break; }
}
if (!serverlist)
---
This seems to work for simple variables which is enough for me. Full
brace expansion does not work (I think the parser gets confused).
As I understand it this is not going to cause a memory leak.
a few lines down from this serverlist is checked to be taint-free so
this feels safe to me.
Isn't the idea to check a string is taint-free *before* expanding it ?
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
