Mailing List Archive: exim-4.96RC0 - broken Mailman (2.x)

exim-4.96RC0 - broken Mailman (2.x)

exim-users at exim

May 6, 2022, 6:46 AM

Post #1 of 7 (474 views)

I must admit I have zero clue how to detaint this:

LOG: MAIN
** mailman@lists.mydomain.name <mailman-bounces+moses=
XXXXXX.org@lists.mydomain.name> R=mailman_router T=mailman_transport:
Tainted arg 1 for mailman_transport transport command: 'bounces'

mailman_router:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part/config.pck
domains = +mm_domains
headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Score}}
headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Report}}
headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Score-Integer}}
headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Flag}}
transport = mailman_transport
local_part_suffix = -bounces : -bounces+* : \
-confirm+* : -join : -leave : \
-owner : -request : -admin
local_part_suffix_optional

mailman_transport:
driver = pipe
command = MAILMAN_WRAP \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}' \
$local_part
current_directory = MAILMAN_HOME
home_directory = MAILMAN_HOME
user = MAILMAN_USER
group = MAILMAN_GROUP

LOG: MAIN
** mailman@lists.mydomain.name <mailman-bounces+moses=
XXXXXX.org@lists.mydomain.name> R=mailman_router T=mailman_transport:
Tainted arg 1 for mailman_transport transport command: 'bounces'

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim-4.96RC0 - broken Mailman (2.x) [ In reply to ]

exim-users at exim

May 6, 2022, 7:05 AM

Post #2 of 7 (474 views)

Odhiambo Washington via Exim-users <exim-users@exim.org> wrote:

> I must admit I have zero clue how to detaint this:
>
> LOG: MAIN
> ** mailman@lists.mydomain.name <mailman-bounces+moses=
> XXXXXX.org@lists.mydomain.name> R=mailman_router T=mailman_transport:
> Tainted arg 1 for mailman_transport transport command: 'bounces'
>
> mailman_router:
> driver = accept

Guessing, insert this here:

local_parts = ${lookup {$local_part} dsearch {MAILMAN_HOME/lists}}

That should set $local_part_data and then you use that where you used
$local_part before in require_files and in the transport.

I don't understand why require_files did not trigger the check, though,
but using the tainted variable $local_part there will be a problem.

Michael

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim-4.96RC0 - broken Mailman (2.x) [ In reply to ]

exim-users at exim

May 6, 2022, 10:05 AM

Post #3 of 7 (474 views)

On Fri, 6 May 2022, Odhiambo Washington via Exim-users wrote:

> I must admit I have zero clue how to detaint this:
>
> LOG: MAIN
> ** mailman@lists.mydomain.name <mailman-bounces+moses=
> XXXXXX.org@lists.mydomain.name> R=mailman_router T=mailman_transport:
> Tainted arg 1 for mailman_transport transport command: 'bounces'
>
> mailman_router:
> driver = accept
> require_files = MAILMAN_HOME/lists/$local_part/config.pck
> domains = +mm_domains
> headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Score}}
> headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Report}}
> headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Score-Integer}}
> headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Flag}}
> transport = mailman_transport
> local_part_suffix = -bounces : -bounces+* : \
> -confirm+* : -join : -leave : \
> -owner : -request : -admin
> local_part_suffix_optional
>
> mailman_transport:
> driver = pipe
> command = MAILMAN_WRAP \
> '${if def:local_part_suffix \
> {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \

Does this help ?
{${sg{$local_part_suffix}{-(bounces|confirm|join|leave|owner|request|admin)(\\+.*)?}{\$1}}} \

> {post}}' \
> $local_part
> current_directory = MAILMAN_HOME
> home_directory = MAILMAN_HOME
> user = MAILMAN_USER
> group = MAILMAN_GROUP
>
>
> LOG: MAIN
> ** mailman@lists.mydomain.name <mailman-bounces+moses=
> XXXXXX.org@lists.mydomain.name> R=mailman_router T=mailman_transport:
> Tainted arg 1 for mailman_transport transport command: 'bounces'
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim-4.96RC0 - broken Mailman (2.x) [ In reply to ]

exim-users at exim

May 6, 2022, 10:07 AM

Post #4 of 7 (474 views)

On Fri, 6 May 2022, Michael Haardt via Exim-users wrote:

> Odhiambo Washington via Exim-users <exim-users@exim.org> wrote:
>
>> I must admit I have zero clue how to detaint this:
>>
>> LOG: MAIN
>> ** mailman@lists.mydomain.name <mailman-bounces+moses=
>> XXXXXX.org@lists.mydomain.name> R=mailman_router T=mailman_transport:
>> Tainted arg 1 for mailman_transport transport command: 'bounces'
>>
>> mailman_router:
>> driver = accept
>
> Guessing, insert this here:
>
> local_parts = ${lookup {$local_part} dsearch {MAILMAN_HOME/lists}}
>
> That should set $local_part_data and then you use that where you used
> $local_part before in require_files and in the transport.
>
> I don't understand why require_files did not trigger the check, though,
> but using the tainted variable $local_part there will be a problem.

As I understand, "require_files" detaints,
since a secure file-system is a database of trust.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim-4.96RC0 - broken Mailman (2.x) [ In reply to ]

exim-users at exim

May 6, 2022, 10:20 AM

Post #5 of 7 (474 views)

Andrew C Aitchison <andrew@aitchison.me.uk> wrote:

> > I don't understand why require_files did not trigger the check, though,
> > but using the tainted variable $local_part there will be a problem.
>
> As I understand, "require_files" detaints,
> since a secure file-system is a database of trust.

The file system is, but $local_part could be "../whatever", ending up in
a quite different file than what the admin had in mind, so using
require_files on a tainted value should cause an error. However,

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_routers.html

does not say anything regarding tainted values one way or the other.

dsearch does not allow ".." as path component.

Michael

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim-4.96RC0 - broken Mailman (2.x) [ In reply to ]

exim-users at exim

May 7, 2022, 12:50 AM

Post #6 of 7 (474 views)

On Fri, May 6, 2022 at 8:05 PM Andrew C Aitchison <andrew@aitchison.me.uk>
wrote:

> On Fri, 6 May 2022, Odhiambo Washington via Exim-users wrote:
>
> > I must admit I have zero clue how to detaint this:
> >
> > LOG: MAIN
> > ** mailman@lists.mydomain.name <mailman-bounces+moses=
> > XXXXXX.org@lists.mydomain.name> R=mailman_router T=mailman_transport:
> > Tainted arg 1 for mailman_transport transport command: 'bounces'
> >
> > mailman_router:
> > driver = accept
> > require_files = MAILMAN_HOME/lists/$local_part/config.pck
> > domains = +mm_domains
> > headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Score}}
> > headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Report}}
> > headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Score-Integer}}
> > headers_remove = ${if eq{SPAMHEADERTYPE}{0}{X-Spam-Flag}}
> > transport = mailman_transport
> > local_part_suffix = -bounces : -bounces+* : \
> > -confirm+* : -join : -leave : \
> > -owner : -request : -admin
> > local_part_suffix_optional
> >
> > mailman_transport:
> > driver = pipe
> > command = MAILMAN_WRAP \
> > '${if def:local_part_suffix \
> > {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
>
> Does this help ?
>
> {${sg{$local_part_suffix}{-(bounces|confirm|join|leave|owner|request|admin)(\\+.*)?}{\$1}}}
> \
>

Hi Andrew,

Assuming that the final transport modified with your suggestion would be:

mailman_transport:
driver = pipe
command = MAILMAN_WRAP \
'${if def:local_part_suffix \

{${sg{$local_part_suffix}{-(bounces|confirm|join|leave|owner|request|admin)(\\+.*)?}{\$1}}}
\
{post}}' \
$local_part
current_directory = MAILMAN_HOME
home_directory = MAILMAN_HOME
user = MAILMAN_USER
group = MAILMAN_GROUP

Then I must say it does not alleviate the problem. The error still remains
the same.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(?)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim-4.96RC0 - broken Mailman (2.x) [ In reply to ]

exim-users at exim

May 7, 2022, 8:10 AM

Post #7 of 7 (474 views)

On 06/05/2022 18:05, Andrew C Aitchison via Exim-users wrote:
>
> Does this help ?
> {${sg{$local_part_suffix}{-(bounces|confirm|join|leave|owner|request|admin)(\\+.*)?}{\$1}}} \

${sg } is not clever enough to realise that the RE and substring are, in this case,
selecting a list of static strings. Therefore it cannot be used as a de-taint mechanism.

Instead, use "inlist" :-

${if inlist {$local_part_suffix} {-bounces : -confirm : -join} {$value}}

(obviously, with whatever elements in the list are needed).
The facility was described in the Newstuff file.

If the removal of a further suffix (the "(\\+.*)?" in the RE above
is needed, do that before doing the list-match.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/