On 17/11/2022 16:36, Martin Clayton via Exim-users wrote:
So, sorry to be a tainted dummy, but I'm still left wondering how to deal with
this.
Look at your line:
{exists{VHOST_DIR/$domain_data/VHOST_CONFIG_DIR/blacklists/${extract{1}{=!&/}{$item}{$value}{$item}}}}
The filename there is built from a directory path which is not tainted,
and a filename which is. This is a standard pattern for detainting
using a dsearch lookup - which as a bonus does the equivalent of "exists"
also. As the docs say (file & database lookups chapter, on dsearch)
"If lstat() succeeds then so does the lookup. The result is regarded as
untainted."
So, use a ${lookup {tainted_thing} dsearch {untainted_path} {found}
{not_found}}.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
