Page MenuHomePhabricator

Exim emitting warnings about tainted filenames
Closed, ResolvedPublicBUG REPORT

Description

We presently get a lot of these messages in our exim logs:

2022-04-11 21:47:15 Warning: Tainted filename for search '/etc/exim4/aliases/wikimedia.org'
2022-04-11 21:47:15 Warning: Tainted filename '/etc/exim4/aliases/wikimedia.org'
2022-04-11 21:47:15 Warning: Tainted filename for search '/etc/exim4/aliases/wikimedia.org'

These are due to using $domain, which is under the control of the email sender, as the value for a filename. Exim does not allow you to use sender controlled data for filename lookups. Instead we should switch to $domain_data which is the value of a domain lookup.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 779504 had a related patch set uploaded (by JHathaway; author: JHathaway):

[operations/puppet@production] mx: use $domain_data rather than $domain for aliases

https://gerrit.wikimedia.org/r/779504

Change 779504 merged by JHathaway:

[operations/puppet@production] mx: use $domain_data rather than $domain for aliases

https://gerrit.wikimedia.org/r/779504

jhathaway claimed this task.

merged!