.code
local_delivery:
driver = appendfile
- file = /var/mail/$home
+ file = /var/mail/$local_part_verified
delivery_date_add
envelope_to_add
return_path_add
# mode = 0660
.endd
This &(appendfile)& transport is used for local delivery to user mailboxes in
-traditional BSD mailbox format. By default it runs under the uid and gid of the
+traditional BSD mailbox format.
+
+.new
+We prefer to avoid using &$local_part$& directly to define the mailbox filename,
+as it is provided by a potential bad actor.
+Instead we use &$local_part_verified$&,
+the result of looking up &$local_part$& in the user database
+(done by using &%check_local_user%& in the the router).
+.wen
+
+By default &(appendfile)& runs under the uid and gid of the
local user, which requires the sticky bit to be set on the &_/var/mail_&
directory. Some systems use the alternative approach of running mail deliveries
under a particular group instead of using the sticky bit. The commented options
.cindex "tainted data"
If the origin of the data is an incoming message,
the result of expanding this variable is tainted.
+See also &$domain_verified$&.
.wen
If the origin of the data is an incoming message,
the result of expanding this variable is tainted.
-&*Warning*&: the content of this variable is usually provided by a potential attacker.
+&*Warning*&: the content of this variable is usually provided by a potential
+attacker.
Consider carefully the implications of using it unvalidated as a name
for file access.
This presents issues for users' &_.forward_& and filter files.
-For traditional full user accounts, use &%check_local_users%& and the &$home$&
-variable rather than this one.
+For traditional full user accounts, use &%check_local_users%& and the
+&$local_part_verified$& variable rather than this one.
For virtual users, store a suitable pathname component in the database
which is used for account name validation, and use that retrieved value
rather than this variable.
+If needed, use a router &%address_data%& or &%set%& option for
+the retrieved data.
.wen
.vindex "&$local_part_prefix$&"
specific suffix for the local part was recognized, it is available in this
variable, having been removed from &$local_part$&.
+.new
+.vitem &$local_part_verified$&
+.vindex "&$local_part_verified$&"
+If the router generic option &%check_local_part%& has run successfully,
+this variable has the user database version of &$local_part$&.
+Such values are not tainted and hence usable for building file names.
+.wen
+
.vitem &$local_scan_data$&
.vindex "&$local_scan_data$&"
This variable contains the text returned by the &[local_scan()]& function when
comments.
.new
+.cindex "tainted data" "in filenames"
+.cindex redirect "tainted data"
+Tainted data may not be used for a filename.
+
&*Warning*&: It is unwise to use &$local_part$& or &$domain$&
directly for redirection,
as they are provided by a potential attacker.
.code
list1: :include:/opt/lists/list1
.endd
+.new
+.cindex "tainted data" "in filenames"
+.cindex redirect "tainted data"
+Tainted data may not be used for a filename.
+.wen
.next
.cindex "address redirection" "to black hole"
.cindex "delivery" "discard"
used to determine the file or directory name for the delivery. Normally, the
contents of &$address_file$& are used in some way in the string expansion.
.endlist
+.new
+.cindex "tainted data" "in filenames"
+.cindex appendfile "tainted data"
+Tainted data may not be used for a file or directory name.
+This means that, for instance, &$local_part$& cannot be used directly
+as a component of a path. It can however be used as the key for a lookup
+which returns a path (or component).
+.wen
.cindex "Sieve filter" "configuring &(appendfile)&"
details of the local delivery environment and chapter &<<CHAPbatching>>&
for a discussion of local delivery batching.
+.new
+.cindex "tainted data" "in pipe command"
+.cindex pipe "tainted data"
+Tainted data may not be used for the command name.
+.wen
+
.section "Concurrent delivery" "SECID140"
If two messages arrive at almost the same time, and both are routed to a pipe
git://git.exim.org / exim.git / blobdiff