X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/6dbf85ed0c969432afa9e821a81122193544bfdc..a1ebfb2e46e13ee87afc91856a4af38175735d74:/test/confs/2620 diff --git a/test/confs/2620 b/test/confs/2620 index 85d25035f..70a460e24 100644 --- a/test/confs/2620 +++ b/test/confs/2620 @@ -25,26 +25,29 @@ begin acl check_recipient: # Tainted-data checks warn - # taint only in lookup string - set acl_m0 = ok: ${lookup pgsql {select name from them where id = '$local_part'}} + # taint only in lookup string, properly quoted + set acl_m0 = ok: ${lookup pgsql {select name from them where id = '${quote_pgsql:$local_part}'}} + # taint only in lookup string, but not quoted + set acl_m0 = FAIL: ${lookup pgsql,cache=no_rd {select name from them where id = '$local_part'}} + warn # option on lookup type unaffected - set acl_m0 = ok: ${lookup pgsql,servers=SERVERS {select name from them where id = '$local_part'}} + set acl_m0 = ok: ${lookup pgsql,servers=SERVERS {select name from them where id = '${quote_pgsql:$local_part}'}} # partial server-spec, indexing main-option, works - set acl_m0 = ok: ${lookup pgsql,servers=PARTIAL {select name from them where id = '$local_part'}} + set acl_m0 = ok: ${lookup pgsql,servers=PARTIAL {select name from them where id = '${quote_pgsql:$local_part}'}} # oldstyle server spec, prepended to lookup string, fails with taint - set acl_m0 = FAIL: ${lookup pgsql {servers=SERVERS; select name from them where id = '$local_part'}} + set acl_m0 = FAIL: ${lookup pgsql {servers=SERVERS; select name from them where id = '${quote_pgsql:$local_part}'}} - # In list-stle lookup, tainted lookup string is ok if server spec comes from main-option + # In list-style lookup, tainted lookup string is ok if server spec comes from main-option warn set acl_m0 = ok: hostlist - hosts = net-pgsql;select * from them where id='$local_part' + hosts = net-pgsql;select * from them where id='${quote_pgsql:$local_part}' # ... but setting a per-query servers spec fails due to the taint warn set acl_m0 = FAIL: hostlist - hosts = <& net-pgsql;servers=SERVERS; select * from them where id='$local_part' + hosts = <& net-pgsql;servers=SERVERS; select * from them where id='${quote_pgsql:$local_part}' # The newer server-list-as-option-to-lookup-type is not a solution to tainted data in the lookup, because # string-expansion is done before list-expansion so the taint contaminates the entire list. warn set acl_m0 = FAIL: hostlist - hosts = <& net-pgsql,servers=SERVERS; select * from them where id='$local_part' + hosts = <& net-pgsql,servers=SERVERS; select * from them where id='${quote_pgsql:$local_part}' accept domains = +local_domains accept hosts = +relay_hosts