Hi,
Moving an old system to exim 4.94.2 I'm hitting a taint error with
$dnslist_domain. That's a bit surprising as it's 100% internally defined
-- there's nothing the outside world can do to change its possible
values. Well, at least in my mind ;)
warn domains = +vhost_domains
dnslists = $acl_m_dnslist1
add_header = X-Spam-Blacklisted: $dnslist_matched listed at
$dnslist_domain ($dnslist_value)
set acl_m105076_act =
${lookup{tag}lsearch{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/$dnslist_domain}{tag}{reject}}
logwrite = ACL#10/50/76: H=$sender_fullhost $dnslist_matched
blacklisted at $dnslist_domain ($dnslist_value) - $domain_data set to
$acl_m105076_act
deny condition = ${if eq {$acl_m105076_act}{reject}}
message = $dnslist_matched blacklisted at $dnslist_domain
($dnslist_value) \
${if def:dnslist_text {\n$dnslist_text}}
When there's an rbl hit, the lsearch lookup triggers a taint error, e.g:
Tainted filename for search '/srv/example.com/config/blacklists/bl.mxrbl.com'
failed to expand ACL string "${lookup{tag}lsearch{/srv/$domain_data/config/blacklists/$dnslist_domain}{tag}{reject}}"
(I haven't touched most of the config but $domain_data is innocent -- a
quick test replacing $dnslist_domain with a hardcoded "bl.mxrbl.com" and
all is well).
So, a bit of a dummy question (sorry), but how do I detaint
$dnslist_domain? Presumably, with a simple lookup -- by definition it's
in $acl_m_dnslist1 and the associated file will very likely still exist
at VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/$dnslist_domain ...
In case it's relevant, $acl_m_dnslist1 is populated via a filter looking
for the presence of various files, e.g:
warn domains = +vhost_domains
set acl_m_dnslist1 = ${filter{ \
b.barracudacentral.org
: \
hostkarma.junkemailfilter.com=127.0.0.2
: \
bl.mxrbl.com
: \
dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
: \
hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain : \
dbl.nordspam.com==127.0.0.2/$sender_address_domain \
} \
{exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}}
\
}
Hmm, I'm now wondering if $sender_address_domain has tainted dnslists,
parent of $dnslist_domain. I guess not.
Meanwhile, thanks for exim - and any pointers!
M
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/