Mailing List Archive

[Bug 2646] New: taint error in ldap query parameter
https://bugs.exim.org/show_bug.cgi?id=2646

Bug ID: 2646
Summary: taint error in ldap query parameter
Product: Exim
Version: 4.94
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Lookups
Assignee: unallocated@exim.org
Reporter: heiko@fu-berlin.de
CC: exim-dev@exim.org

Exim fails with taint error if a server parameter is specified.

Reproduce:

Argument "-oMai" is used in the following example only to fill
$authenticated_id with an tained value.

$ exim -oMai example -be '${lookup ldap {ldap:///attr=$authenticated_id}}'
--> works as expected

but:

$ exim -oMai example -be '${lookup ldap {servers="localhost"
ldap:///attr=$authenticated_id}}'
2020-09-23 21:15:42 Taint mismatch, string_nextinlist: control_ldap_search 1257

That's not correct. Nothing in the added parameter (servers="localhost") should
cause a taint mismatch.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##