Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Local variables tainted?
exim-users at exim
Sep 3, 2021, 3:29 AM
Post #1 of 5 (448 views)
Permalink
Hello,
I'm in the process of upgrading to new exim versions and thought I was
fully prepared for the new concept of tainted variables. But this has
left me rather confused:


$: exim --version
Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57

(Debian Package: 4.94.2-7)

Warning: ACL "warn" statement skipped: condition test deferred: Tainted
MySQL server 'localhost/greylist/greylist/xyz'

I am using a MySQL DB for greylisting. The config variables are defined
like this:

"GREYLIST_DBSERVER = localhost/greylist/greylist/xyz"

This is then referred later:

warn set acl_m8 = ${lookup mysql{servers=GREYLIST_DBSERVER;\
GREYLIST_SUBNET}{$value}{result=unknown}}

Why would a local variable which is never set by any external input be
tainted?


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Local variables tainted? [ In reply to ]
exim-users at exim
Sep 3, 2021, 3:48 AM
Post #2 of 5 (448 views)
Permalink
On 03/09/2021 11:29, Kai Bojens via Exim-users wrote:
> Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57
>
> (Debian Package: 4.94.2-7)
>
> Warning: ACL "warn" statement skipped: condition test deferred: Tainted MySQL server 'localhost/greylist/greylist/xyz'
>
> I am using a MySQL DB for greylisting. The config variables are defined like this:
>
> "GREYLIST_DBSERVER = localhost/greylist/greylist/xyz"

(Aside: That looks like a macro, not a variable)

> This is then referred later:
>
> warn  set acl_m8 = ${lookup mysql{servers=GREYLIST_DBSERVER;\ GREYLIST_SUBNET}{$value}{result=unknown}}
>
> Why would a local variable which is never set by any external input be tainted?

You don't show what GREYLIST_SUBNET is.

In general for this sort of issue it helps to use the debug output
facilities to show what your config is doing in more detail.

Something like

exim -d-all+expand+lookup -be '${lookup mysql{servers=GREYLIST_DBSERVER;\ GREYLIST_SUBNET}{$value}{result=unknown}'

would be of interest.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Local variables tainted? [ In reply to ]
exim-users at exim
Sep 3, 2021, 4:55 AM
Post #3 of 5 (448 views)
Permalink
Am 03.09.21 um 12:48 schrieb Jeremy Harris via Exim-users:

> You don't show what GREYLIST_SUBNET is.

Sorry, you are absolutely right. This is a macro and it contains
variables like ${quote_mysql:$sender_address} and
${quote_mysql:$local_part@$domain}. I've somehow forgot about these
variables within the macro. Now I know why this is tainted.


Kai

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Local variables tainted? [ In reply to ]
exim-users at exim
Sep 3, 2021, 5:09 AM
Post #4 of 5 (448 views)
Permalink
On 03/09/2021 12:55, Kai Bojens via Exim-users wrote:
> Am 03.09.21 um 12:48 schrieb Jeremy Harris via Exim-users:
>
>> You don't show what GREYLIST_SUBNET is.
>
> Sorry, you are absolutely right. This is a macro and it contains variables like ${quote_mysql:$sender_address} and ${quote_mysql:$local_part@$domain}. I've somehow forgot about these variables within the macro. Now I know why this is tainted.

Aha. There is an alternate syntax, introduced for this reason, separating
the server-specification from the SQL text. Have a look at the database lookups
chapter, section 25.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Local variables tainted? [ In reply to ]
exim-users at exim
Sep 3, 2021, 5:12 AM
Post #5 of 5 (448 views)
Permalink
On 03/09/2021 13:09, Jeremy Harris via Exim-users wrote:
> section 25

Oops; 23.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal