Mailing List Archive

[Bug 2601] Taint for $sender_address_domain?
https://bugs.exim.org/show_bug.cgi?id=2601

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED

--- Comment #1 from Jeremy Harris <jgh146exb@wizmail.org> ---
The domain is part of an address supplied by the message sender, therefore it
is correct for it to be untrusted.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2601] Taint for $sender_address_domain? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2601

--- Comment #2 from martynas@mc2.dev ---
Yes, but why do we trust message body then? Like:
if $message_body matches "...."
then
seen finish
endif

The thing I don't get - why is $message_body safer than $sender_address_domain
?

Thank you.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2601] Taint for $sender_address_domain? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2601

martynas@mc2.dev changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |REOPENED

--- Comment #3 from martynas@mc2.dev ---
Re-opening just to make sure it works as intended.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2601] Taint for $sender_address_domain? [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2601

martynas@mc2.dev changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|REOPENED |RESOLVED

--- Comment #4 from martynas@mc2.dev ---
Might be a bogus report as it might still be doing the 'if' comparison with
tainted data, will test it further..

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [Bug 2601] Taint for $sender_address_domain? [ In reply to ]
On Wed, 17 Jun 2020, admin--- via Exim-dev wrote:

> https://bugs.exim.org/show_bug.cgi?id=2601
>
> --- Comment #2 from martynas@mc2.dev ---
> Yes, but why do we trust message body then? Like:
> if $message_body matches "...."
> then
> seen finish
> endif
>
> The thing I don't get - why is $message_body safer than $sender_address_domain
> ?

As I understand it, the result of "matches" is untainted,
since the answer is effectively a boolean.

Your system filter line
if $sender_address_domain: is
is not a complete statement.
"is" comes between two arguments and its result is also untainted.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##