[exim] Re: De-Tainting in a filter-file?

Fri, 21 Jul 2023 01:46:38 -0700 

> Jeremy Harris via Exim-users <exim-users@lists.exim.org> hat am 21.07.2023 
> 09:16 CEST geschrieben:

First - thanks for your reply and help. I really appreciate it.

> On 21/07/2023 07:47, Niels Kobschätzki via Exim-users wrote:
> > In exim 4.96 I have now the problem that this seems to be considered 
> > tainted in filter-files (or in ldap-queries; I am not sure tbh).
> > I get this error in the log: tainted search query is not properly quoted 
> > (router virtual_userfilter
> > , /usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH 
> > LDAPDN?mailBlackList?sub?(&(mail=test-receiver%40domain.tld)(mailBlackList=test-blackl...@domain.tld))
> 
> Note that the error is "it's not properly quoted".  The intended hint
> is that if it (an argument to a lookup) is tainted, then it must be quoted.
> 
> Not that it must be untainted (though obviously that would suffice too).
> 
> So look again at you query args, and remember who is supplying them:
> 
> > LDAPAUTH 
> > LDAPDN?mailBlackList?sub?(&(mail=${quote_ldap:$local_part@$domain})(mailBlackList=${lc:${address:$h_From:}}))
> 
> Is that From: - derived string quoted, for ldap?

When I start to quote that it won't work. I tried '$h_From:' and wrapping 
${address:$h_FROM:} and wrapping ${lc:${address:$h_From:}} but those resulted 
all in a deferral iirc because the search query was broken.

But maybe I understand quoting wrong in this context. Do you mean wrapping it 
in ' or do you mean using "quote_ldap"? I tried using quote_ldap but that 
suddenly adds encoded <> around the address and then the lookup won't find the 
result.

$h_From: results in test-blackl...@domain.tld
$quote_ldap:$h_From: results in #3ctest-blackl...@domain.tld#3e (I think it was 
that way - maybe the # were %)

The only moment I do not get tainted errors are when I do something like:

(mail='${quote_ldap:$local_part}'@'$domain')
but this yields: mail='test-receiver'@'domain.tld'

doing '(mail=${quote_ldap:$local_part}@$domain)'
yields '(mail=test-recei...@domain.tld)'

Both break the ldap-lookup though. The first one because 
'test-receiver'@'domain.tld' does not exist in the LDAP (only 
test-recei...@domain.tld does) and the second one I guess because it is in the 
middle of an LDAP-URL. The moment I introduce ' into the ldap-query as part of 
the LDAP-URL the look up breaks; either because the LDAP-URL becomes wrong or 
because the resulting lookup doesn't find anything.
 
> > And I get this in a debug session: (tainted, quoted:ldap)
> 
> Since you didn't actually show us, we can only speculate...
> that was the quoted l@d string.

Here is the (slightly sanitized) output of a debug-session of my current 
experimental filter file.

19301 postfork: router-interpret
19301 changed uid/gid: virtual_userfilter router (recipient is 
test-recei...@domain.tld)
19301   uid=68 gid=9025 pid=19301
19301   auxiliary group list: 9025
19301 2679 bytes read from 
/users/do/domain.tld/te/test-receiver/pobox/.exim_filter
19301 data is an Exim filter program
19301 Filter: start of processing
19301   search_open: ldap "NULL"
19301   search_find: file="NULL"
19301     key="LDAPAUTH 
LDAPDN?enableBlackList?sub?(mail=test-recei...@domain.tld)" partial=-1 
affix=NULL starflags=0 opts=NULL
19301   LRU list:
19301   internal_search_find: file="NULL"
19301     type=ldap key="LDAPAUTH 
LDAPDN?enableBlackList?sub?(mail=test-recei...@domain.tld)" opts=NULL
19301   database lookup required for LDAPAUTH 
LDAPDN?enableBlackList?sub?(mail=test-recei...@domain.tld)
19301                                (tainted, quoted:ldap)
19301   LDAP parameters: LDAPAUTH size=0 time=0 connect=0 dereference=0 
referrals=on
19301   perform_ldap_search: ldap URL = 
"LDAPDN?enableBlackList?sub?(mail=test-recei...@domain.tld)" server=NULL port=0 
sizelimit=0 timelimit=0 tcplimit=0
19301   after ldap_url_parse: host=ldap.server.fqdn port=389
19301   ldap_initialize with URL ldap://ldap.server.fqdn:389/
19301   initialized for LDAP (v3) server ldap.server.fqdn:389
19301   LDAP_OPT_X_TLS_TRY set due to ldap:// URI
19301   binding with AUTHDATA
19301   Start search
19301   LDAP result loop
19301   LDAP entry loop
19301   LDAP attr loop
19301   LDAP value loop enableBlackList:1
19301   search ended by ldap_result yielding 101
19301   ldap_parse_result: 0
19301   ldap_parse_result yielded 0: Success
19301   LDAP search: returning: 1
19301   creating new cache entry
19301   lookup yielded: 1
19301   search_open: ldap "NULL"
19301     cached open
19301   search_find: file="NULL"
19301     key="LDAPAUTH 
LDAPDN?mailBlackList?sub?(&(mail=test-recei...@domain.tld)(mailBlackList=test-blackl...@domain.tld))"
 partial=-1 affix=NULL starflags=0 opts=NULL
19301   LRU list:
19301   internal_search_find: file="NULL"
19301     type=ldap key="LDAPAUTH 
LDAPDN?mailBlackList?sub?(&(mail=test-recei...@domain.tld)(mailBlackList=test-blackl...@domain.tld))"
 opts=NULL
19301   database lookup required for LDAPAUTH 
LDAPDN?mailBlackList?sub?(&(mail=test-recei...@domain.tld)(mailBlackList=test-blackl...@domain.tld))
19301                                (tainted)
19301 LOG: MAIN PANIC
19301   tainted search query is not properly quoted (router virtual_userfilter, 
/usr/local/etc/exim/conf/routers.conf 274): LDAPAUTH 
LDAPDN?mailBlackList?sub?(&(mail=test-recei...@domain.tld)(mailBlackList=test-blackl...@domain.tld))
19301   search_type 7 (ldap) quoting -1 (none)
19301   LDAP parameters: LDAPAUTH size=0 time=0 connect=0 dereference=0 
referrals=on
19301   perform_ldap_search: ldap URL = 
"LDAPDN?mailBlackList?sub?(&(mail=test-recei...@domain.tld)(mailBlackList=test-blackl...@domain.tld))"
 server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
19301   after ldap_url_parse: host=ldap.server.fqdn port=389
19301   re-using cached connection to LDAP server ldap.server.fqdn:389
19301   Start search
19301   LDAP result loop
19301   LDAP entry loop
19301   LDAP attr loop
19301   LDAP value loop mailBlackList:test-blackl...@domain.tld
19301   search ended by ldap_result yielding 101
19301   ldap_parse_result: 0
19301   ldap_parse_result yielded 0: Success
19301   LDAP search: returning: mailBlackList="test-blackl...@domain.tld"
19301   creating new cache entry
19301   lookup yielded: mailBlackList="test-blackl...@domain.tld"
19301 Filter: end of processing
19301 search_tidyup called
19301 unbind LDAP connection to ldap.server.fqdn:389
19301 >>>>>>>>>>>>>>>> Exim pid=19301 (router-interpret) terminating with rc=0 
>>>>>>>>>>>>>>>>


Best,

Niels

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to