perlcentos7eximauto-responder

Tainted name '/etc/exim/filepath' for file read not permitted


Here my filter in centos is not working can anyone help me with it.

soft@204.compilor.com cannot be resolved at this time: Tainted name '/etc/exim/users/soft/204.compilor.com/soft/filter' for file read not permitted

This is my issue which I get

My router

email_filter:
    driver = redirect
    allow_filter
    allow_fail
    forbid_filter_run
    forbid_filter_perl
    forbid_filter_lookup
    forbid_filter_readfile
    forbid_filter_readsocket
    no_check_local_user
    domains = lsearch;/etc/userdomains
    require_files = "/etc/exim/users/${lookup{$domain}lsearch{/etc/userdomains}{$value}}/${perl{untaint}{$domain}}/${local_part}/filter"
    condition = "${extract \
        {size} \
        {${stat:/etc/exim/users/${lookup{$domain}lsearch{/etc/userdomains}{$value}}/${perl{untaint}{$domain}}/${local_part}/filter}} \
    }"
    file = /etc/exim/users/${lookup{$domain}lsearch{/etc/userdomains}{$value}}/${perl{untaint}{$domain}}/${local_part}/filter
    file_transport = address_file
    directory_transport = address_directory
    reply_transport = address_reply
    router_home_directory = ${extract \
        {5} \
        {::} \
        {${lookup passwd \
            {${lookup \
                {$domain} \
                lsearch{/etc/userdomains} \
                {$value} \
            }} \
            {$value} \
        }} \
    }
    user = "${lookup \
        {$domain} \
        lsearch{/etc/userdomains} \
        {$value} \
    }"
    group = "${lookup \
        {$domain} \
        lsearch{/etc/userdomains} \
        {$value} \
    }"
    local_part_suffix = +*
    local_part_suffix_optional
    retry_use_local_part
    no_verify

So here my filters are not working showing this error to me I am not getting about the tained part I had tried all possible from myself


Solution

  • So here I solved this issue by detaining the tained variable.

    Here You can use perl untaint like this

    ${perl{untaint}{$local_part}}
    

    It is also fine but there might be some security risk so I define this line to detaint my local part and domain

    BADCHARS = \N[^A-Za-z0-9_.-]+\N
    SAFELOCALPART = ${lookup{${sg{$local_part}{BADCHARS}{_}}} lsearch*,ret=key{/etc/userdomains}}
    SAFEDOMAIN = ${lookup{${sg{$domain}{BADCHARS}{_}}} lsearch*,ret=key{/etc/userdomains}}
    

    So after this my router is

    email_filter:
        driver = redirect
        allow_filter
        allow_fail
        forbid_filter_run
        forbid_filter_perl
        forbid_filter_lookup
        forbid_filter_readfile
        forbid_filter_readsocket
        no_check_local_user
        domains = lsearch;/etc/userdomains
        require_files = "/etc/exim/users/${lookup{SAFEDOMAIN}lsearch{/etc/userdomains}{$value}}/SAFEDOMAIN/SAFELOCALPART/filter"
        condition = "${extract \
            {size} \
            {${stat:/etc/exim/users/${lookup{SAFEDOMAIN}lsearch{/etc/userdomains}{$value}}/SAFEDOMAIN/SAFELOCALPART/filter}} \
        }"
        file = /etc/exim/users/${lookup{SAFEDOMAIN}lsearch{/etc/userdomains}{$value}}/SAFEDOMAIN/SAFELOCALPART/filter
        file_transport = address_file
        directory_transport = address_directory
        reply_transport = address_reply
        router_home_directory = ${extract \
            {5} \
            {::} \
            {${lookup passwd \
                {${lookup \
                    {$domain} \
                    lsearch{/etc/userdomains} \
                    {$value} \
                }} \
                {$value} \
            }} \
        }
        user = "${lookup \
            {$domain} \
            lsearch{/etc/userdomains} \
            {$value} \
        }"
        group = "${lookup \
            {$domain} \
            lsearch{/etc/userdomains} \
            {$value} \
        }"
        local_part_suffix = +*
        local_part_suffix_optional
        retry_use_local_part
        no_verify
    

    Hope anyone facing same issue will be able to now solve this issue