Mailing List Archive

[Bug 2623] sqlite lookup taint problem
https://bugs.exim.org/show_bug.cgi?id=2623

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Summary|sqlite_dbfile is ignored in |sqlite lookup taint problem
|list lookups |

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2623] sqlite lookup taint problem [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2623

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |ALREADY_FIXED

--- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
No, it only fails when you specify the DB file with the lookup SQL, and there
is a tainted variable involved (anywhere in the whole string).

What's happened is that the word "select" has been taken as the filename for
the DB, overriding the sqlite_dbfile setting. To avoid this, reword the list
entry as a string-expansion lookup:

sqlite_dbfile = /some/thing/sqlitedb
domainlist relay_to_domains = ${lookup sqlite \
{select '*' from relays where ip='$sender_host_address'}}


The coding in that area has already been changed, since 4.94, to require a
leading slash in specifying a filename. Without that change, the example as
given is unusable.

If you're building from source, you need at least commit 4a7dca5235.

Closing as already dealt with.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2623] sqlite lookup taint problem [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2623

--- Comment #3 from Andras Nagy <andras@nagya.net> ---
Thanks for the quick follow-up.

JFTR, when I tried it with a constant (i.e. non-tainted) query string, in 4.94,
it just SEGV'd. I assumed that's the same issue as 2606, since "select" is
typically not a file that exists.


Also, I think the suggested workaround has very different semantics than the
original. The

domainlist relay_to_domains = sqlite;select ...

syntax means that when a domain is looked up in the list, the query is
executed, and the domain is considered to be in the list when the query returns
at least one row. "[T]he value resulting from the lookup is not used" (spec
10.9.)

The

domainlist relay_to_domains = ${lookup sqlite {select ...}}

syntax means when a domain is looked up in the list, the query is executed, and
each row returned by the query is compared with the domain being looked up, and
the domain is considered be in the list when it's equal to one of the rows
returned.

Since the specific use case looks like this, the workaround is not suitable.

domainlist foo = sqlite;select 'yes' from ...

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##