Hi Jeremy
And thanks.
On 16/11/2022 22:16, Jeremy Harris via Exim-users wrote:
On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
Moving an old system to exim 4.94.2 I'm hitting a taint error with
$dnslist_domain. That's a bit surprising as it's 100% internally
defined -- there's nothing the outside world can do to change its
possible values.
I'm not immediately seeing it either.
If you set up a test using -d+expand and -bh
is the value for $acl_m_dnslist1 tainted at the point it gets expanded
for the dnslists= ACL condition?
Very handy and, yes, at first mention of the filter (showing the full
list)...
considering: ${filter{
b.barracudacentral.org
: hostkarma.junkemailfilter.com=127.0.0.2
: truncate.gbudb.net
: bl.spamcop.net
: dnsbl.sorbs.net
: all.s5h.net
: all.bl.blocklist.de
: all.spamrats.com
: dyna.spamrats.com
: noptr.spamrats.com
: spam.spamrats.com
: bl.mailspike.net
: dnsbl.dronebl.org
: sbl.spamdown.org
: bl.nordspam.com==127.0.0.2
: dnsbl.justspam.org
: dnsrbl.org
: bl.mxrbl.com
: dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
: hostkarma.junkemailfilter.com=127.0.0.2/$sender_address_domain
: multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/$sender_address_domain
: rhsbl.sorbs.net/$sender_address_domain
: dbl.nordspam.com==127.0.0.2/$sender_address_domain
} {exists{/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}} }
[...]
╰─────result:
b.barracudacentral.org
: hostkarma.junkemailfilter.com=127.0.0.2
: truncate.gbudb.net
: bl.spamcop.net
: dnsbl.sorbs.net
: all.s5h.net
: all.bl.blocklist.de
: all.spamrats.com
: dyna.spamrats.com
: noptr.spamrats.com
: spam.spamrats.com
: bl.mailspike.net
: dnsbl.dronebl.org
: sbl.spamdown.org
: bl.nordspam.com==127.0.0.2
: dnsbl.justspam.org
: dnsrbl.org
: bl.mxrbl.com
: dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/example.com
: hostkarma.junkemailfilter.com=127.0.0.2/example.com
: multi.uribl.com=127.0.0.2,127.0.0.4,127.0.0.8/example.com
: rhsbl.sorbs.net/example.com
: dbl.nordspam.com==127.0.0.2/example.com
╰──(tainted)
... and every item in the list (used or not) is considered tainted;
filter: $item = 'b.barracudacentral.org' $value = 'NULL'
╭considering:
/srv/$domain_data/config/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}}
}
╭considering: 1}{=!&/}{$item}{$value}{$item}}}} }
├──expanding: 1
╰─────result: 1
╭considering: =!&/}{$item}{$value}{$item}}}} }
├──expanding: =!&/
╰─────result: =!&/
╭considering: $item}{$value}{$item}}}} }
├──expanding: $item
╰─────result: b.barracudacentral.org
╰──(tainted)
Removing the rhsbl services (i.e, $sender_address_domain) and all is well.
Looks like I guessed wrong. I'm wondering why this taint error isn't
widespread -- could it be $filter/exists specific? I wont guess this
time ;)
Cheers,
Martin
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
