Mailing List Archive

exim-4.96rc0 Tainted arg
Hi,

This transport survived 4.95, but not anymore with 4.96rc0 as this error
shows:

2022-05-01 11:19:58 1nl4o7-0006GQ-10 ** /var/spool/virtual/
mydomain.org/johndoe/Maildir <johndoe@mydomain.org> R=virtual_domains
T=dovecot_virtual_delivery: Tainted arg 2 for dovecot_virtual_delivery
transport command
: 'johndoe@mydomain.org'

How do I need to de-taint the arg 2?


dovecot_virtual_delivery:
driver = pipe
return_output
command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain -f
$sender_address
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
On 2022-05-01 Odhiambo Washington via Exim-users <exim-users@exim.org> wrote:
> Hi,

> This transport survived 4.95, but not anymore with 4.96rc0 as this error
> shows:

> 2022-05-01 11:19:58 1nl4o7-0006GQ-10 ** /var/spool/virtual/
> mydomain.org/johndoe/Maildir <johndoe@mydomain.org> R=virtual_domains
> T=dovecot_virtual_delivery: Tainted arg 2 for dovecot_virtual_delivery
> transport command
> : 'johndoe@mydomain.org'

> How do I need to de-taint the arg 2?
[...]
> command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain -f
> $sender_address

Did you try the usual detainting strategies ($..._data)?

cu Andreas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
On 01/05/2022 09:55, Odhiambo Washington via Exim-users wrote:
> dovecot_virtual_delivery:
> driver = pipe
> return_output
> command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain -f
> $sender_address
> message_prefix =

> How do I need to de-taint the arg 2?

The same way as you de-taint local_part and domain for other uses,
as has been discussed here many time and is documented.

There are multiple ways and which one is best depends on your situation.


Once you've done that, you'll run into arg 4 also being tainted;
drop the "-f $sender_address" from the command line and remove
the
message_prefix =
option setting. The default for message_prefix is an mbox "From "
line, and Dovecot should take the sender from that.

(I am assuming that "dovecot/deliver" is the same as the "dovecot/dovecot_lda"
documented by the dovecot project).

--
Cheers,
Jeremy

Refs:
- http://exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html
- https://doc.dovecot.org/configuration_manual/protocols/lda/
- https://www.rfc-editor.org/rfc/rfc4155.txt

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
On Sun, May 1, 2022 at 12:46 PM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 01/05/2022 09:55, Odhiambo Washington via Exim-users wrote:
> > dovecot_virtual_delivery:
> > driver = pipe
> > return_output
> > command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
> -f
> > $sender_address
> > message_prefix =
>
> > How do I need to de-taint the arg 2?
>
> The same way as you de-taint local_part and domain for other uses,
> as has been discussed here many time and is documented.
>
> There are multiple ways and which one is best depends on your situation.
>
>
> Once you've done that, you'll run into arg 4 also being tainted;
> drop the "-f $sender_address" from the command line and remove
> the
> message_prefix =
> option setting. The default for message_prefix is an mbox "From "
> line, and Dovecot should take the sender from that.
>
> (I am assuming that "dovecot/deliver" is the same as the
> "dovecot/dovecot_lda"
> documented by the dovecot project).
>

Yes, /usr/local/libexec/dovecot/deliver is a symlink to dovecot_lda.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
On Sun, May 1, 2022 at 12:46 PM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 01/05/2022 09:55, Odhiambo Washington via Exim-users wrote:
> > dovecot_virtual_delivery:
> > driver = pipe
> > return_output
> > command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
> -f
> > $sender_address
> > message_prefix =
>
> > How do I need to de-taint the arg 2?
>
> The same way as you de-taint local_part and domain for other uses,
> as has been discussed here many time and is documented.
>
> There are multiple ways and which one is best depends on your situation.
>
>
> Once you've done that, you'll run into arg 4 also being tainted;
> drop the "-f $sender_address" from the command line and remove
> the
> message_prefix =
> option setting. The default for message_prefix is an mbox "From "
> line, and Dovecot should take the sender from that.
>
> (I am assuming that "dovecot/deliver" is the same as the
> "dovecot/dovecot_lda"
> documented by the dovecot project).
>

Sanity check!

In my router, I have the following query:

address_data = ${lookup mysql{ \
select smtp, username, users.sa_tag*10 AS sa_tag,
users.on_spamassassin AS on_spamassassin, \
domains.spamassassin AS spamassassin, \
users.uid AS uid, users.gid AS gid, users.quota AS
quota from users,domains \
where localpart = '${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and domains.enabled = '1' \
and users.enabled = '1' \
and users.domain_id = domains.domain_id}{$value}fail}

And I have modified my transport to:

dovecot_virtual_delivery:
driver = pipe
return_output
command = /usr/local/libexec/dovecot/deliver -d
${extract{username}{$address_data}}
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

And deliveries seem to be working without any errors,

Question is whether I am creating a security loophole by doing the above.




--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
On 03/05/2022 13:22, Odhiambo Washington via Exim-users wrote:
> Question is whether I am creating a security loophole by doing the above.

So long as the selection parameter "username" is a plain-old
column in your DB (and not some magic way of cooking the
"where" selectors) that looks fine.

I don't know if MySQL can do anything like the latter,
but if you are looking up real data in the DB, as most
people use a DB, you're good.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
On Tue, May 3, 2022 at 3:36 PM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 03/05/2022 13:22, Odhiambo Washington via Exim-users wrote:
> > Question is whether I am creating a security loophole by doing the above.
>
> So long as the selection parameter "username" is a plain-old
> column in your DB (and not some magic way of cooking the
> "where" selectors) that looks fine.
>
> I don't know if MySQL can do anything like the latter,
> but if you are looking up real data in the DB, as most
> people use a DB, you're good.
>

Yes, the "username" is a plain-old column in my DB.

Thank you.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
• Odhiambo Washington via Exim-users [2022-05-03 15:22]:
[...]
> Sanity check!
>
> In my router, I have the following query:
>
> address_data = ${lookup mysql{ \
> select smtp, username, users.sa_tag*10 AS sa_tag,
> users.on_spamassassin AS on_spamassassin, \
> domains.spamassassin AS spamassassin, \
> users.uid AS uid, users.gid AS gid, users.quota AS
> quota from users,domains \
> where localpart = '${quote_mysql:$local_part}' \
> and domain = '${quote_mysql:$domain}' \
> and domains.enabled = '1' \
> and users.enabled = '1' \
> and users.domain_id = domains.domain_id}{$value}fail}
>
> And I have modified my transport to:
>
> dovecot_virtual_delivery:
> driver = pipe
> return_output
> command = /usr/local/libexec/dovecot/deliver -d
> ${extract{username}{$address_data}}
> message_suffix =
> delivery_date_add
> envelope_to_add
> return_path_add
> log_output
> user = mailnull
> temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
>
> And deliveries seem to be working without any errors,
>
> Question is whether I am creating a security loophole by doing the above.

Looks like you're doing it exactly the way it was intended.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim-4.96rc0 Tainted arg [ In reply to ]
On Tue, May 3, 2022 at 3:44 PM Kirill Miazine via Exim-users <
exim-users@exim.org> wrote:

> • Odhiambo Washington via Exim-users [2022-05-03 15:22]:
> [...]
> > Sanity check!
> >
> > In my router, I have the following query:
> >
> > address_data = ${lookup mysql{ \
> > select smtp, username, users.sa_tag*10 AS sa_tag,
> > users.on_spamassassin AS on_spamassassin, \
> > domains.spamassassin AS spamassassin, \
> > users.uid AS uid, users.gid AS gid, users.quota AS
> > quota from users,domains \
> > where localpart = '${quote_mysql:$local_part}' \
> > and domain = '${quote_mysql:$domain}' \
> > and domains.enabled = '1' \
> > and users.enabled = '1' \
> > and users.domain_id =
> domains.domain_id}{$value}fail}
> >
> > And I have modified my transport to:
> >
> > dovecot_virtual_delivery:
> > driver = pipe
> > return_output
> > command = /usr/local/libexec/dovecot/deliver -d
> > ${extract{username}{$address_data}}
> > message_suffix =
> > delivery_date_add
> > envelope_to_add
> > return_path_add
> > log_output
> > user = mailnull
> > temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
> >
> > And deliveries seem to be working without any errors,
> >
> > Question is whether I am creating a security loophole by doing the above.
>
> Looks like you're doing it exactly the way it was intended.
>


:)

Thank you for confirming.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/