Mailing List Archive

4.94 - taint - generic workaround
Hi
I'm testing 4.94 for possible issues regarding recent tainting changes -
and found one similar to one discussed in other thread but a bit
different (more info below).

It seems that Jeremy is all against creating generic string detaint -
but I don't agree and I still needed quick workaround so I tested
something like this using mysql (that is already used by my exim):

replaced:
file = /archive/from-${authenticated_id}/${tod_logfile}

with:
file = /archive/from-${lookup mysql {
select regexp_replace('${quote_mysql:$authenticated_id}',
'[^A-Za-z0-9_.-]', '') }}/${tod_logfile}

I know I could just use
file = /archive/from-${lookup mysql {
select '${quote_mysql:$authenticated_id}'}}/${tod_logfile}
but I wanted example which matches proposed "detaint" function.


To explain original case further:

It seems that $authenticated_id is marked as tainted, it's set in
server_set_id = $auth1
but it was already validated via database (the user is authenticated) -
so in this particular case it could be marked as untainted (ie. I know
it's safe to use it because I know that logins don't contain any
characters that would break filenames). I'm not really happy that I'm
not allowed to apply this knowledge.

I cannot use lookup-dsearch to detaint because the archive file may not
exist (it's created as needed), the same applies to directory (it
doesn't exist for fresh users, it may never be created for users that
don't send mail). This is the same problem others pointed out.

best regards
--
Marcin Gryszkalis, PGP 0xA5DBEEC7 http://fork.pl/gpg.txt

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: 4.94 - taint - generic workaround [ In reply to ]
On Sun, Jul 19, 2020 at 08:28:34PM +0200, Marcin Gryszkalis via Exim-users wrote:
> select regexp_replace('${quote_mysql:$authenticated_id}',
> '[^A-Za-z0-9_.-]', '') }}/${tod_logfile}
>
> I know I could just use
> file = /archive/from-${lookup mysql {
> select '${quote_mysql:$authenticated_id}'}}/${tod_logfile}
> but I wanted example which matches proposed "detaint" function.

Try:

${lookup {string} nwildlsearch,ret=key {/run/detaint}\
{expr-if-matched}{expr-if-fail}}

where /run/detaint is file with character filter, in your case it may be
a single string with regex ^[\w\.\-]$ or

^[A-Za-z0-9_\.\-]+$

PS. In Linux /run is memory-mapped fs, so hard disk is never touched.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: 4.94 - taint - generic workaround [ In reply to ]
On 19.07.2020 23:00, Evgeniy Berdnikov via Exim-users wrote:
> On Sun, Jul 19, 2020 at 08:28:34PM +0200, Marcin Gryszkalis via
Exim-users wrote:
>> select regexp_replace('${quote_mysql:$authenticated_id}',
>> '[^A-Za-z0-9_.-]', '') }}/${tod_logfile}
>>
>> I know I could just use
>> file = /archive/from-${lookup mysql {
>> select '${quote_mysql:$authenticated_id}'}}/${tod_logfile}
>> but I wanted example which matches proposed "detaint" function.
>
> Try:
>
> ${lookup {string} nwildlsearch,ret=key {/run/detaint}\
> {expr-if-matched}{expr-if-fail}}
>
> where /run/detaint is file with character filter, in your case it may be
> a single string with regex ^[\w\.\-]$ or
>
> ^[A-Za-z0-9_\.\-]+$

As I understand this uses the change mentioned in 4.94-rc0 changes:

"- - An option on all single-key lookups, to return (on a hit)
a de-tainted version of the lookup key rather than the looked-up data."


If so - then I don't really understand why this is any better than
proposed string expansion detaint{$val}{regexp/charlist}...

best regards
--
Marcin Gryszkalis, PGP 0xA5DBEEC7 http://fork.pl/gpg.txt

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: 4.94 - taint - generic workaround [ In reply to ]
On Mon, Jul 20, 2020 at 11:05:46AM +0200, Marcin Gryszkalis via Exim-users wrote:
> On 19.07.2020 23:00, Evgeniy Berdnikov via Exim-users wrote:
> > On Sun, Jul 19, 2020 at 08:28:34PM +0200, Marcin Gryszkalis via
...
> > ${lookup {string} nwildlsearch,ret=key {/run/detaint}\
> > {expr-if-matched}{expr-if-fail}}
> >
> > where /run/detaint is file with character filter, in your case it may be
> > a single string with regex ^[\w\.\-]$ or
> >
> > ^[A-Za-z0-9_\.\-]+$
>
> As I understand this uses the change mentioned in 4.94-rc0 changes:
>
> "- - An option on all single-key lookups, to return (on a hit)
> a de-tainted version of the lookup key rather than the looked-up data."

Yes.

> If so - then I don't really understand why this is any better than
> proposed string expansion detaint{$val}{regexp/charlist}...

It's more powerful, because many matching patterns may be put in a file,
ranging from simple "character filters" to very complex constructs.
You can also put a single asterisk for blind "all-detainting", if it
suits you. This is a note about functional capabilities.

If your question was about user interface and look-and-feel,
I agree that direction of its evolution seems not right...
But I'm not an Exim developer. Developers may have other opinions.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/