Mailing List Archive

Should the taint checks apply to arguments?
I understand why it is dangerous to use tainted data in constructing
filenames so I can no longer run a command containing the local_part,
e.g.

data = |/home/exim/scripts/$local_part

I see that it is also an error to use, e.g.

data = |/home/exim/scripts/my_script $local_part

In this case the script is fixed and the tainted data is being used as
an argument. Is that still dangerous? The script can pick up the
local_part from the LOCAL_PART environment variable.

Richard
--
Richard Gilbert
IT Services
University of Sheffield, Sheffield, S10 2FN, UK
Phone: +44 114 222 3028

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Should the taint checks apply to arguments? [ In reply to ]
Yes, because you could escape out of the argument, think if local part contains like "something &&
echo /etc/passwd".
Then whats executed is:
|/home/exim/scripts/my_script something && echo /etc/password

Fetching in the argument via environment variable is safe (as long as you in the script doesn't use
it for something dangerous, but that?s not exim's fault), since then you cannot use the variable to
escape out of the shell.

-----Ursprungligt meddelande-----
Fr?n: Richard Gilbert via Exim-users <exim-users@exim.org>
Skickat: den 1 juni 2021 12:53
Till: Exim users list <exim-users@exim.org>
?mne: [exim] Should the taint checks apply to arguments?

I understand why it is dangerous to use tainted data in constructing
filenames so I can no longer run a command containing the local_part,
e.g.

data = |/home/exim/scripts/$local_part

I see that it is also an error to use, e.g.

data = |/home/exim/scripts/my_script $local_part

In this case the script is fixed and the tainted data is being used as
an argument. Is that still dangerous? The script can pick up the
local_part from the LOCAL_PART environment variable.

Richard
--
Richard Gilbert
IT Services
University of Sheffield, Sheffield, S10 2FN, UK
Phone: +44 114 222 3028

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Should the taint checks apply to arguments? [ In reply to ]
On Tue, Jun 01, 2021 at 12:56:04PM +0200, Sebastian via Exim-users wrote:
> Fetching in the argument via environment variable is safe (as long as you in the script doesn't use
> it for something dangerous, but that?s not exim's fault), since then you cannot use the variable to
> escape out of the shell.

There was a bug in Bash: any environment variable containing "name(){...}"
was interpreted as a function definition on shell startup. It has lead to
several exploits against Apache and other web servers distributed with
innocent shell scripts (such as "printenv") in cgi-bin adirectories.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/