If the &%domains%& option is set, the domain of the address must be in the set
of domains that it defines.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using router domains option"
A match verifies the variable &$domain$& (which carries tainted data)
and assigns an untainted value to the &$domain_data$& variable.
Such an untainted value is often needed in the transport.
When the lookup succeeds, the result of the expansion is a list of domains (and
possibly other types of item that are allowed in domain lists).
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using a lookup expansion""
The result of the expansion is not tainted.
In the second example, the lookup is a single item in a domain list. It causes
The file string may not be tainted.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using a single-key lookup"
All single-key lookups support the option &"ret=key"&.
If this is given and the lookup
(either underlying implementation or cached value)
returns data, the result is replaced with a non-tainted
version of the lookup key.
-.cindex "tainted data" "de-tainting"
.next
.cindex "query-style lookup" "definition of"
The &'query-style'& type accepts a generalized database query. No particular
&$domain_data$& variable and can be referred to in other router options or
other statements in the same ACL.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using ACL domains condition"
The value will be untainted.
&*Note*&: If the data result of the lookup (as opposed to the key)
&%domains%& option on a router, the value is preserved in the &$domain_data$&
variable and can be referred to in other options.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using router domains option"
The value will be untainted.
.next
a shell, you must explicitly code it.
The command name may not be tainted, but the remaining arguments can be.
+&*Note*&: if tainted arguments are used, they are supplied by a
+potential attacker;
+a careful assessment for security vulnerabilities should be done.
+
If the option &'preexpand'& is used,
.wen
the command and its arguments are first expanded as one string. The result is
The variable &$value$& will be set for a successful match and can be
used in the success clause of an &%if%& expansion item using the condition.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using an inlist expansion condition"
It will have the same taint status as the list; expansions such as
.code
${if inlist {$h_mycode:} {0 : 1 : 42} {$value}}
The variable &$value$& will be set for a successful match and can be
used in the success clause of an &%if%& expansion item using the condition.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using a match_local_part expansion condition"
It will have the same taint status as the list; expansions such as
.code
${if match_local_part {$local_part} {alice : bill : charlotte : dave} {$value}}
(described under &%transport_filter%& in chapter &<<CHAPtransportgeneric>>&).
It cannot be used in general expansion strings, and provokes an &"unknown
variable"& error if encountered.
+.new
+&*Note*&: This value permits data supplied by a potential attacker to
+be used in the command for a &(pipe)& transport.
+Such configurations should be carefully assessed for security vulnerbilities.
+.wen
.vitem &$primary_hostname$&
.vindex "&$primary_hostname$&"
holding password data (such as NIS) are supported. If the local part is a local
user,
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using router check_local_user option"
&$local_part_data$& is set to an untainted version of the local part and
&$home$& is set from the password data. The latter can be tested in other
preconditions that are evaluated after this one (the order of evaluation is
checking is done in "belowhome" mode.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using appendfile create_file option"
If "belowhome" checking is used, the file or directory path
becomes de-tainted.
the &%environment%& option can be used to add additional variables to this
environment. The environment for the &(pipe)& transport is not subject
to the &%add_environment%& and &%keep_environment%& main config options.
+.new
+&*Note*&: Using enviroment variables loses track of tainted data.
+Writers of &(pipe)& transport commands should be wary of data supplied
+by potential attackers.
+.wen
.display
&`DOMAIN `& the domain of the address
&`HOME `& the home directory, if set
clients when the SMTP PIPELINING extension is in use. The flushing can be
disabled by using a &%control%& modifier to set &%no_callout_flush%&.
+.new
+.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using receipient verify"
+A recipient callout which gets a 2&'xx'& code
+will assign untainted values to the
+&$domain_data$& and &$local_part_data$& variables,
+corresponding to the domain and local parts of the recipient address.
+.wen
+
git://git.exim.org / exim.git / blobdiff