Mailing List Archive

$dnslist_domain tainted
Hi,

Moving an old system to exim 4.94.2 I'm hitting a taint error with
$dnslist_domain. That's a bit surprising as it's 100% internally defined
-- there's nothing the outside world can do to change its possible
values. Well, at least in my mind ;)

> warn domains = +vhost_domains
> dnslists = $acl_m_dnslist1
> add_header = X-Spam-Blacklisted: $dnslist_matched listed at $dnslist_domain ($dnslist_value)
> set acl_m105076_act = ${lookup{tag}lsearch{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/$dnslist_domain}{tag}{reject}}
> logwrite = ACL#10/50/76: H=$sender_fullhost $dnslist_matched blacklisted at $dnslist_domain ($dnslist_value) - $domain_data set to $acl_m105076_act
>
> deny condition = ${if eq {$acl_m105076_act}{reject}}
> message = $dnslist_matched blacklisted at $dnslist_domain ($dnslist_value) \
> ${if def:dnslist_text {\n$dnslist_text}}

When there's an rbl hit, the lsearch lookup triggers a taint error, e.g:

> Tainted filename for search '/srv/example.com/config/blacklists/bl.mxrbl.com'
> failed to expand ACL string "${lookup{tag}lsearch{/srv/$domain_data/config/blacklists/$dnslist_domain}{tag}{reject}}"

(I haven't touched most of the config but $domain_data is innocent -- a
quick test replacing $dnslist_domain with a hardcoded "bl.mxrbl.com" and
all is well).

So, a bit of a dummy question (sorry), but how do I detaint
$dnslist_domain? Presumably, with a simple lookup -- by definition it's
in $acl_m_dnslist1 and the associated file will very likely still exist
at VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/$dnslist_domain ...

In case it's relevant, $acl_m_dnslist1 is populated via a filter looking
for the presence of various files, e.g:

> warn domains = +vhost_domains
> set acl_m_dnslist1 = ${filter{ \
> b.barracudacentral.org : \
> hostkarma.junkemailfilter.com=127.0.0.2 : \
> bl.mxrbl.com : \
> dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain : \
> hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain : \
> dbl.nordspam.com==127.0.0.2/$sender_address_domain \
> } \
> {exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} \
> }

Hmm, I'm now wondering if $sender_address_domain has tainted dnslists,
parent of $dnslist_domain. I guess not.

Meanwhile, thanks for exim - and any pointers!

M







--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: $dnslist_domain tainted [ In reply to ]
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
> Moving an old system to exim 4.94.2 I'm hitting a taint error with $dnslist_domain. That's a bit surprising as it's 100% internally defined -- there's nothing the outside world can do to change its possible values.

I'm not immediately seeing it either.

If you set up a test using -d+expand and -bh
is the value for $acl_m_dnslist1 tainted at the point it gets expanded
for the dnslists= ACL condition?

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: $dnslist_domain tainted [ In reply to ]
Hi Jeremy

And thanks.

On 16/11/2022 22:16, Jeremy Harris via Exim-users wrote:
> On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
>> Moving an old system to exim 4.94.2 I'm hitting a taint error with
>> $dnslist_domain. That's a bit surprising as it's 100% internally
>> defined -- there's nothing the outside world can do to change its
>> possible values.
>
> I'm not immediately seeing it either.
>
> If you set up a test using -d+expand and -bh
> is the value for $acl_m_dnslist1 tainted at the point it gets expanded
> for the dnslists= ACL condition?

Very handy and, yes, at first mention of the filter (showing the full
list)...

> considering: ${filter{
> b.barracudacentral.org
> : hostkarma.junkemailfilter.com=127.0.0.2
> : truncate.gbudb.net
> : bl.spamcop.net
> : dnsbl.sorbs.net
> : all.s5h.net
> : all.bl.blocklist.de
> : all.spamrats.com
> : dyna.spamrats.com
> : noptr.spamrats.com
> : spam.spamrats.com
> : bl.mailspike.net
> : dnsbl.dronebl.org
> : sbl.spamdown.org
> : bl.nordspam.com==127.0.0.2
> : dnsbl.justspam.org
> : dnsrbl.org
> : bl.mxrbl.com
> : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
> : hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain
> : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/$sender_address_domain
> : rhsbl.sorbs.net/$sender_address_domain
> : dbl.nordspam.com==127.0.0.2/$sender_address_domain
> } {exists{/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} }
> [...]
> ??????result:
> b.barracudacentral.org
> : hostkarma.junkemailfilter.com=127.0.0.2
> : truncate.gbudb.net
> : bl.spamcop.net
> : dnsbl.sorbs.net
> : all.s5h.net
> : all.bl.blocklist.de
> : all.spamrats.com
> : dyna.spamrats.com
> : noptr.spamrats.com
> : spam.spamrats.com
> : bl.mailspike.net
> : dnsbl.dronebl.org
> : sbl.spamdown.org
> : bl.nordspam.com==127.0.0.2
> : dnsbl.justspam.org
> : dnsrbl.org
> : bl.mxrbl.com
> : dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/example.com
> : hostkarma.junkemailfilter.com=127.0.0.2/example.com
> : multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/example.com
> : rhsbl.sorbs.net/example.com
> : dbl.nordspam.com==127.0.0.2/example.com
> ???(tainted)

... and every item in the list (used or not) is considered tainted;

> filter: $item = 'b.barracudacentral.org' $value = 'NULL'
> ?considering: /srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} }
> ?considering: 1}{=!&/}{$item}{$value}{$item}}}} }
> ???expanding: 1
> ??????result: 1
> ?considering: =!&/}{$item}{$value}{$item}}}} }
> ???expanding: =!&/
> ??????result: =!&/
> ?considering: $item}{$value}{$item}}}} }
> ???expanding: $item
> ??????result: b.barracudacentral.org
> ???(tainted)

Removing the rhsbl services (i.e, $sender_address_domain) and all is well.

Looks like I guessed wrong. I'm wondering why this taint error isn't
widespread -- could it be $filter/exists specific? I wont guess this
time ;)

Cheers,
Martin







--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: $dnslist_domain tainted [ In reply to ]
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
> Removing the rhsbl services (i.e, $sender_address_domain) and all is well.
>
> Looks like I guessed wrong. I'm wondering why this taint error isn't widespread -- could it be $filter/exists specific?



Aha! (otherwise pronounced "Doh!")...

This item:
dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain

because it uses $sender_address_domain (which is tainted), taints the entire string
that is the list for ${filter...} (because string-expansion is done before list-expansion).
Therefore every $item for the filter is tainted, and so the filtered result list is also.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: $dnslist_domain tainted [ In reply to ]
On 17/11/2022 15:12, Martin Clayton wrote:
> On 17/11/2022 13:49, Jeremy Harris via Exim-users wrote:
>> On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
>>> Removing the rhsbl services (i.e, $sender_address_domain) and all is
>>> well.
>>>
>> [...]
>> dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
>>
>> because it uses $sender_address_domain (which is tainted), taints the
>> entire string

Ah, so it's unexpectedly expected behaviour ;)

So, sorry to be a tainted dummy, but I'm still left wondering how to
deal with this.

The dns query runs without issue, log messages, etc, all good. It's only
the $dnslist_domain based file lookup to define the action to take.

It sounds like dnslists using rhsbl services have to be tainted. (I'm
assuming that attempting to detaint $sender_address_domain isn't
sensible when it could legitimately be anything protocol-valid).

So, can $dnslist_domain be detainted? We know it lives in a pre-defined
list. The parent (dnslists) may be tainted but the child is reliable,
innocent and completely immune to anything in $sender_address_domain

Rabbit holes :)

Cheers,
Martin







--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: $dnslist_domain tainted [ In reply to ]
On 17/11/2022 16:36, Martin Clayton via Exim-users wrote:
> So, sorry to be a tainted dummy, but I'm still left wondering how to deal with this.

Look at your line:

{exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}}

The filename there is built from a directory path which is not tainted,
and a filename which is. This is a standard pattern for detainting
using a dsearch lookup - which as a bonus does the equivalent of "exists"
also. As the docs say (file & database lookups chapter, on dsearch)
"If lstat() succeeds then so does the lookup. The result is regarded as untainted."

So, use a ${lookup {tainted_thing} dsearch {untainted_path} {found} {not_found}}.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: $dnslist_domain tainted [ In reply to ]
On 17/11/2022 19:10, Jeremy Harris via Exim-users wrote:
> On 17/11/2022 16:36, Martin Clayton via Exim-users wrote:
>> So, sorry to be a tainted dummy, but I'm still left wondering how to
>> deal with this.

> {exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}}
>
> The filename there is built from a directory path which is not tainted,
> and a filename which is.  This is a standard pattern for detainting
> using a dsearch lookup
> [...] docs [...]
> So, use a ${lookup {tainted_thing} dsearch {untainted_path}   {found}
> {not_found}}.

Huge thanks for the direction and clarity. I'm sure I can now get the
new machine purring. I'm usually fairly good with docs and find exim4
particularly 'tight' (in a good way), sometimes, 'intense'. ;) Normally,
it's battling with syntax but this one feels more like policy and I lost
the way. 'Taint easy but one day I'll have a better grip on the
fundamentals and the blindingly obvious will be visible -- although, I
can see how that could go wrong :)

I'm looking at such a small part of exim, how you/team keep the whole
project together is simply amazing.

Thanks!







--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/