Mailing List Archive

https://bugs.exim.org/show_bug.cgi?id=3066

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Assignee|unallocated@exim.org |jgh146exb@wizmail.org
Status|NEW |ASSIGNED

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

--- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
I'm guessing that the server and password spec is prefixing the query string,
rather than either than suffing the lookup type "mysql" (newer syntax; see
Ch.9 Section 13.2) or in the mysql_servers main-config option.

It's still a bug, though.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

--- Comment #3 from Jeremy Harris <jgh146exb@wizmail.org> ---
You really do have to move to the new syntax if you need a per-lookup
server spec, as otherwise the entire string in the braces enclosing the
query becomes tainted by the use of the tainted data parts of it.
That includes the server spec, and we do not permit use of a tainted one.

This is why the new syntax was introduced, in 4.94, moving the server spec
outside
those braces. This bug becomes moot.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.exim.org/show_
| |bug.cgi?id=3068

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

--- Comment #4 from David Saez <david@ols.es> ---
No, the password is not included in the lookup, configuration used is like this
one:

MYSQL_MASTER = sql.foo.bar/database/MYSQL_AUTHUSER/MYSQL_AUTHPASSWORD
hide mysql_servers = MYSQL_MASTER

warn condition = ${lookup mysql{servers=sql.foo.bar; INSERT INTO ...

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

--- Comment #5 from Jeremy Harris <jgh146exb@wizmail.org> ---
That's odd; in testing that I get logged a "severs=" element that does
not include a password. Still a bug, but not quite so concerning as leaking
the password:


PARTIAL = 127.0.0.1::PORT_N
SSPEC = PARTIAL/test/root/pass
hide mysql_servers = SSPEC


# oldstyle partial server spec, prepended to lookup string, indexing
main-option, but not quoted
warn set acl_m0 = FAIL3: ${lookup mysql {servers=PARTIAL; select name
from them where id = '$local_part'}}


11:20:54 42141 LOG: MAIN PANIC
11:20:54 42141 tainted search query is not properly quoted (ACL warn,
/home/jgh/git/exim/test/test-config 39): servers=127.0.0.1::1223; select name
from them where id = 'c'

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

--- Comment #6 from David Saez <david@ols.es> ---
my setup is slightly different:

MYSQL_AUTHUSER=user
MYSQL_AUTHPASSWORD=xxxx
MYSQL_MASTER = sql.foo.bar/database/MYSQL_AUTHUSER/MYSQL_AUTHPASSWORD
hide mysql_servers = MYSQL_MASTER

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

--- Comment #7 from Jeremy Harris <jgh146exb@wizmail.org> ---
The macro usage shouldn't make a difference; those are resolved as the
config is read in. The hide only applies to the mysql_servers option
value being visible in "exim m-bP". I'm *fairly* sure the dns name for
the server vs. an IP doesn't matter, nor the explicit port.

Can you get a debug run? With -d+all, for the relevant section leading
up to the log line I get:

14:16:30 28330 processing "warn" (/home/jgh/git/exim/test/test-config 39)
14:16:30 28330 ?considering: FAIL3: ${lookup mysql
{servers=127.0.0.1::1223; select name from them where id = '$local_part'}}
14:16:30 28330 ????????text: FAIL3:
14:16:30 28330 ?considering: ${lookup mysql {servers=127.0.0.1::1223;
select name from them where id = '$local_part'}}
14:16:30 28330 ?considering: servers=127.0.0.1::1223; select name from them
where id = '$local_part'}}
14:16:30 28330 ????????text: servers=127.0.0.1::1223; select name from them
where id = '
14:16:30 28330 ?considering: $local_part'}}
14:16:30 28330 ???????value: c
14:16:30 28330 ???(tainted)
14:16:30 28330 ?considering: '}}
14:16:30 28330 ????????text: '
14:16:30 28330 ?considering: }}
14:16:30 28330 ???expanding: servers=127.0.0.1::1223; select name from them
where id = '$local_part'
14:16:30 28330 ??????result: servers=127.0.0.1::1223; select name from them
where id = 'c'
14:16:30 28330 ???(tainted)
14:16:30 28330 search_open: mysql "NULL"
14:16:30 28330 cached open
14:16:30 28330 search_find: file="NULL"
14:16:30 28330 key="servers=127.0.0.1::1223; select name from them where id
= 'c'" partial=-1 affix=NULL starflags=0 opts=NULL
14:16:30 28330 LRU list:
14:16:30 28330 internal_search_find: file="NULL"
14:16:30 28330 type=mysql key="servers=127.0.0.1::1223; select name from
them where id = 'c'" opts=NULL
14:16:30 28330 database lookup required for servers=127.0.0.1::1223; select
name from them where id = 'c'
14:16:30 28330 (tainted)
14:16:30 28330 LOG: MAIN PANIC
14:16:30 28330 tainted search query is not properly quoted (ACL warn,
/home/jgh/git/exim/test/test-config 39): servers=127.0.0.1::1223; select name
from them where id = 'c'

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3066

--- Comment #8 from David Saez <david@ols.es> ---
I found that the only way to reproduce it is to have the password hardcoded oin
the lookup:

warn condition = ${lookup mysql{servers=server/database/user/password;
INSERT INTO abuseols.emails \
(mid,fecha,ip,email) VALUES ( \

'${quote_mysql:$message_exim_id-$pid@$primary_hostname}', \
NOW(), \
'${quote_mysql:$sender_host_address}', \
'${sender_address}')} \
{yes}{no}}


10:04:35 31247 ?considering: ${lookup
mysql{servers=server/database/user/password; INSERT INTO abuseols.emails
(mid,fecha,ip,email) VALUES (
'${quote_mysql:$message_exim_id-$pid@$primary_hostname}', NOW(),
'${quote_mysql:$sender_host_address}', '${sender_address}')} {yes}{no}}
...
10:04:35 31247 ??????result: servers=server/database/user/password; INSERT
INTO abuseols.emails (mid,fecha,ip,email) VALUES (
'1rPfN5-0000000087z-0JzV-31247@b.mx.olsns.net', NOW(), '127.0.0.1',
'cottonsgardens@glassdoors.ru')
10:04:35 31247 ???(tainted)
...
10:04:35 31247 (tainted)
10:04:35 31247 LOG: MAIN PANIC
10:04:35 31247 tainted search query is not properly quoted (ACL warn,
/usr/local/exim/exim.acl 1647): servers=server/database/user/password; INSERT
INTO abuseols.emails (mid,fecha,ip,email) VALUES (
'1rPfN5-0000000087z-0JzV-31247@b.mx.olsns.net', NOW(), '127.0.0.1',
'cottonsgardens@glassdoors.ru')

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/