From 982854f86c4acc7779b6b65094ba557a9fcd50d6 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 19 Nov 2024 18:30:03 +0000
Subject: [PATCH 1/1] Taint: reject or log more tainted list metadata elements

---
 doc/doc-docbook/spec.xfpt |  27 ++++++++
 doc/doc-txt/ChangeLog     |  13 +++-
 src/src/expand.c          |   2 +-
 src/src/match.c           |  38 ++++++++++--
 src/src/string.c          |   2 +-
 test/confs/2202           |   9 +--
 test/stderr/0632          |   4 --
 test/stderr/2202          | 126 ++++++++++++++++++++------------------
 test/stderr/5410          |   6 --
 test/stderr/5420          |   9 +--
 10 files changed, 147 insertions(+), 89 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ae30cb886..c8f765905 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -8635,6 +8635,11 @@ domainlist  dom2 = !a.b : *.b
 where &'x.y'& does not match. It's best to avoid negation altogether in
 referenced lists if you can.
 
+.new
+The list item which references a named list (&"+<listname>"&)
+may not be tainted.
+.wen
+
 .cindex "hiding named list values"
 .cindex "named lists" "hiding value of"
 Some named list definitions may contain sensitive data, for example, passwords for
@@ -8739,6 +8744,9 @@ possible to use the same configuration file on several different hosts that
 differ only in their names.
 
 The value for a match will be the primary host name.
+.new
+The pattern may not be tainted.
+.wen
 
 
 .next
@@ -8754,6 +8762,9 @@ In today's Internet, the use of domain literals is controversial;
 see the &%allow_domain_literals%& main option.
 
 The value for a match will be the string &`@[]`&.
+.new
+The pattern may not be tainted.
+.wen
 
 
 .next
@@ -8770,6 +8781,10 @@ local host, and the second only when no primary MX target is the local host,
 but a secondary MX target is. &"Primary"& means an MX record with the lowest
 preference value &-- there may of course be more than one of them.
 
+.new
+The pattern may not be tainted.
+.wen
+
 The MX lookup that takes place when matching a pattern of this type is
 performed with the resolver options for widening names turned off. Thus, for
 example, a single-component domain will &'not'& be expanded by adding the
@@ -9605,6 +9620,12 @@ lower case. However, although independent matches on the domain alone are still
 performed caselessly, regular expressions that match against an entire address
 become case-sensitive after &"+caseful"& has been seen.
 
+.new
+This string may not be tainted.
+To do caseful matching on list elements whic are tainted,
+place them in a named list.
+.wen
+
 
 
 .section "Local part lists" "SECTlocparlis"
@@ -9622,6 +9643,12 @@ matching in the local part list, but not elsewhere in the router. If
 &%caseful_local_part%& is set true in a router, matching in the &%local_parts%&
 option is case-sensitive from the start.
 
+.new
+This string may not be tainted.
+To do caseful matching on list elements whic are tainted,
+place them in a named list.
+.wen
+
 If a local part list is indirected to a file (see section &<<SECTfilnamlis>>&),
 comments are handled in the same way as address lists &-- they are recognized
 only if the # is preceded by white space or the start of the line.
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c9f7a4375..37cc3b77d 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -67,7 +67,18 @@ JH/14 Bug 3116: Fix crash in dkim signing.  On kernels supporting immutable
       memory segments, a write was done into one when a constant string was
       configured for a transport's dkim private key.
 
-JH/15 Disallow tainted change-of-separator on lists
+JH/15 Disallow tainted metadata in lists.
+      - Change-of-separator prefixes are handled specially when they are
+      explicit text; only the remainder of the list is expanded. A change-of-
+      separator resulting from expansion will not take effect if tainted.
+      - Elements starting with a plus-sign (named-list inclusion,
+      case-interpretation etc) and (hostlist) @[] (et al) are not handled
+      specially and are still operative at this time - but warnings are logged;
+      if any of these are needed in a list with a tainted element (which taints
+      the entire list at string-expansion time) then a named-list can be used
+      for that element.
+      - Exclamation-marks ("!" signifying negation) are not checked for taint
+      at this time.
 
 Exim version 4.98
 -----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index 052c059e8..3e8f73d89 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -4548,7 +4548,7 @@ for (int fill = 11 - Ustrlen(what); fill > 0; fill--)
   debug_printf("%V", "-");
 
 debug_printf("%s: %.*W\n", what, nchar, value);
-if (is_tainted(value))
+if (nchar > 0 && is_tainted(value))
   debug_printf_indent("%V          %V(tainted)\n",
     flags & ESI_SKIPPING ? "|" : " ", "\\__");
 }
diff --git a/src/src/match.c b/src/src/match.c
index 5670388ea..636ccc203 100644
--- a/src/src/match.c
+++ b/src/src/match.c
@@ -36,6 +36,16 @@ typedef struct check_address_block {
 
 
 
+static BOOL
+is_tainted_metadata(const uschar * s)
+{
+/* Not enforcing for now, only logging; will enforce in a future release */
+if (is_tainted(s))
+  log_write(0, LOG_MAIN|LOG_PANIC,
+	    "attempt to use tainted list metadata %s", s);
+return FALSE;
+}
+
 /*************************************************
 *           Generalized string match             *
 *************************************************/
@@ -170,6 +180,9 @@ just fall through - the match will fail. */
 
 if (cb->flags & MCS_AT_SPECIAL && pattern[0] == '@')
   {
+  if (is_tainted_metadata(pattern))
+    return DEFER;
+
   if (pattern[1] == 0)
     {
     pattern = primary_hostname;
@@ -572,10 +585,12 @@ while ((sss = string_nextinlist(&list, &sep, NULL, 0)))
     {
     if (Ustrcmp(ss, "+caseful") == 0)
       {
-      check_address_block *cb = (check_address_block *)arg;
-      uschar *at = Ustrrchr(cb->origaddress, '@');
+      check_address_block * cb = (check_address_block *)arg;
+      uschar * at;
+
+      if (is_tainted_metadata(ss)) goto BAD_TAINT;
 
-      if (at)
+      if ((at = Ustrrchr(cb->origaddress, '@')))
         Ustrncpy(cb->address, cb->origaddress, at - cb->origaddress);
       cb->flags &= ~MCS_CASELESS;
       continue;
@@ -588,7 +603,8 @@ while ((sss = string_nextinlist(&list, &sep, NULL, 0)))
     {
     if (Ustrcmp(ss, "+caseful") == 0)
       {
-      check_string_block *cb = (check_string_block *)arg;
+      check_string_block * cb = (check_string_block *)arg;
+      if (is_tainted_metadata(ss)) goto BAD_TAINT;
       Ustrcpy(US cb->subject, cb->origsubject);
       cb->flags &= ~MCS_CASELESS;
       continue;
@@ -601,6 +617,7 @@ while ((sss = string_nextinlist(&list, &sep, NULL, 0)))
 
   else if (type == MCL_HOST && *ss == '+')
     {
+    if (is_tainted_metadata(ss)) goto BAD_TAINT;
     if (Ustrcmp(ss, "+include_unknown") == 0)
       {
       include_unknown = TRUE;
@@ -628,7 +645,16 @@ while ((sss = string_nextinlist(&list, &sep, NULL, 0)))
     }
 
   /* Starting with ! specifies a negative item. It is theoretically possible
-  for a local part to start with !. In that case, a regex has to be used. */
+  for a local part to start with !. In that case, a regex has to be used.
+
+  XXX It would be good to disallow a tainted ! here, but the sequence
+  "! $tainted_var" is liable to be frequently used, and requiring a
+  named-list as a workaround would mean a lot of churn. Unfortunately,
+  some attacker can feed "!badthing" into a variable that some overworked
+  admin has used in a list...
+  Maybe we could intro another meta prefix char, which does not negate the
+  element match result (but still protects against a ! in $tainted_var) ?
+  Of course, this would still require churn in configs. */
 
   if (*ss == '!')
     {
@@ -775,6 +801,7 @@ while ((sss = string_nextinlist(&list, &sep, NULL, 0)))
     HDEBUG(D_lists)
       { debug_printf_indent(" start sublist %s\n", ss+1); expand_level += 2; }
 
+    if (is_tainted_metadata(ss)) goto BAD_TAINT;
     if (!(t = tree_search(*anchorptr, ss+1)))
       {
       log_write(0, LOG_MAIN|LOG_PANIC, "unknown named%s list \"%s\"",
@@ -963,6 +990,7 @@ return yield == OK ? FAIL : OK;
  
 /* Something deferred */
 
+BAD_TAINT:
 DEFER_RETURN:
   HDEBUG(D_any)
     {
diff --git a/src/src/string.c b/src/src/string.c
index b370cfacc..4c582c65d 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -952,7 +952,7 @@ if (!*s) return NULL;
 sep_is_special = iscntrl(sep);
 
 /* Handle the case when a buffer is provided. */
-/*XXX need to also deal with qouted-requirements mismatch */
+/*XXX need to also deal with quoted-requirements mismatch */
 
 if (buffer)
   {
diff --git a/test/confs/2202 b/test/confs/2202
index 64c638d9a..7a1ddcbc8 100644
--- a/test/confs/2202
+++ b/test/confs/2202
@@ -10,6 +10,10 @@ acl_smtp_vrfy = vrfy
 acl_smtp_rcpt = rcpt
 disable_ipv6
 
+# need to use this sublist due to taint
+hostlist goodhosts = *.$sender_address_domain : $sender_address_domain : \
+		      ${lookup dnsdb{>:defer_never,mxh=$sender_address_domain}}
+
 .ifdef DNS_RECURSE
 hosts_treat_as_local =		test.again.dns
 domainlist try_again_dns_list =	@mx_any
@@ -29,9 +33,6 @@ vrfy:
 .endif
 
 rcpt:
-  accept hosts = +ignore_unknown : \
-    *.$sender_address_domain : \
-    $sender_address_domain : \
-    ${lookup dnsdb{>:defer_never,mxh=$sender_address_domain}}
+  accept hosts = +ignore_unknown : +goodhosts
 
 # End
diff --git a/test/stderr/0632 b/test/stderr/0632
index 8855f4e38..339bca7b6 100644
--- a/test/stderr/0632
+++ b/test/stderr/0632
@@ -377,7 +377,6 @@ p1235   ââââexpanded: â($tls_in_ver)
 p1235   ââââââresult:  âskippedâ¶
 p1235   â°âââskipping: result is not used
 p1235  ââââitem-res: 
-p1235             â°ââ(tainted)
 p1235  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
 p1235  â}}(Eximâ$version_number)â©
 p1235  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -414,7 +413,6 @@ p1235   â
 p1235   ââââââresult:  âskippedâ¶
 p1235   â°âââskipping: result is not used
 p1235  ââââitem-res: 
-p1235             â°ââ(tainted)
 p1235  âconsidering: (Eximâ$version_number)â©
 p1235  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
 p1235  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
@@ -854,7 +852,6 @@ p1236   ââââexpanded: â($tls_in_ver)
 p1236   ââââââresult:  âskippedâ¶
 p1236   â°âââskipping: result is not used
 p1236  ââââitem-res: 
-p1236             â°ââ(tainted)
 p1236  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
 p1236  â}}(Eximâ$version_number)â©
 p1236  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -891,7 +888,6 @@ p1236   â
 p1236   ââââââresult:  âskippedâ¶
 p1236   â°âââskipping: result is not used
 p1236  ââââitem-res: 
-p1236             â°ââ(tainted)
 p1236  âconsidering: (Eximâ$version_number)â©
 p1236  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
 p1236  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
diff --git a/test/stderr/2202 b/test/stderr/2202
index 12b9bbf5d..d6e38f3a8 100644
--- a/test/stderr/2202
+++ b/test/stderr/2202
@@ -38,69 +38,73 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
 SMTP>> 250 OK
 SMTP<< rcpt to:<a@b>
 using ACL "rcpt"
-processing ACL rcpt "accept" (TESTSUITE/test-config 35)
-check hosts = +ignore_unknown : *.$sender_address_domain : $sender_address_domain : ${lookup dnsdb{>:defer_never,mxh=$sender_address_domain}}
- search_open: dnsdb "NULL"
- search_find: file="NULL"
-   key=">:defer_never,mxh=cioce.test.again.dns" partial=-1 affix=NULL starflags=0 opts=NULL
- LRU list:
- internal_search_find: file="NULL"
-   type=dnsdb key=">:defer_never,mxh=cioce.test.again.dns" opts=NULL
- database lookup required for >:defer_never,mxh=cioce.test.again.dns
-                              (tainted)
- dnsdb key: cioce.test.again.dns
- DNS lookup of cioce.test.again.dns (MX) using fakens
- DNS lookup of cioce.test.again.dns (MX) gave TRY_AGAIN
- cioce.test.again.dns in dns_again_means_nonexist?
-  list element: *
-  cioce.test.again.dns in dns_again_means_nonexist? yes (matched "*")
- cioce.test.again.dns is in dns_again_means_nonexist: returning DNS_NOMATCH
- DNS: couldn't fake dnsa len
- DNS: no SOA record found for neg-TTL
-  writing neg-cache entry for cioce.test.again.dns-MX-xxxx, ttl -1
- creating new cache entry
- lookup failed
-host in "+ignore_unknown : *.cioce.test.again.dns : cioce.test.again.dns : "?
+processing ACL rcpt "accept" (TESTSUITE/test-config 36)
+check hosts = +ignore_unknown : +goodhosts
+host in "+ignore_unknown : +goodhosts"?
  list element: +ignore_unknown
- list element: *.cioce.test.again.dns
- sender host name required, to match against *.cioce.test.again.dns
-  looking up host name for ip4.ip4.ip4.ip4
-   DNS lookup of ip4-reverse.in-addr.arpa (PTR) using fakens
-   DNS lookup of ip4-reverse.in-addr.arpa (PTR) succeeded
-   Reverse DNS security status: unverified
-   IP address lookup yielded "the.local.host.name"
-   check dnssec require list
-   âthe.local.host.name not in empty list (option unset? cannot trace name)
-   check dnssec request list
-   âthe.local.host.name not in empty list (option unset? cannot trace name)
-   DNS lookup of the.local.host.name (A) using fakens
-   DNS lookup of the.local.host.name (A) succeeded
-   local host found for non-MX address
-   the.local.host.name ip4.ip4.ip4.ip4 mx=-1 sort=xx 
-   checking addresses for the.local.host.name
-   Forward DNS security status: unverified
+ list element: +goodhosts
+  start sublist goodhosts
+   âsearch_open: dnsdb "NULL"
+   âsearch_find: file="NULL"
+   â  key=">:defer_never,mxh=cioce.test.again.dns" partial=-1 affix=NULL starflags=0 opts=NULL
+   âLRU list:
+   âinternal_search_find: file="NULL"
+   â  type=dnsdb key=">:defer_never,mxh=cioce.test.again.dns" opts=NULL
+   âdatabase lookup required for >:defer_never,mxh=cioce.test.again.dns
+   â                             (tainted)
+   âdnsdb key: cioce.test.again.dns
+   âDNS lookup of cioce.test.again.dns (MX) using fakens
+   âDNS lookup of cioce.test.again.dns (MX) gave TRY_AGAIN
+   âcioce.test.again.dns in dns_again_means_nonexist?
+   â list element: *
+   â cioce.test.again.dns in dns_again_means_nonexist? yes (matched "*")
+   âcioce.test.again.dns is in dns_again_means_nonexist: returning DNS_NOMATCH
+   âDNS: couldn't fake dnsa len
+   âDNS: no SOA record found for neg-TTL
+   â writing neg-cache entry for cioce.test.again.dns-MX-xxxx, ttl -1
+   âcreating new cache entry
+   âlookup failed
+  host in "*.cioce.test.again.dns : cioce.test.again.dns : "?
+   âlist element: *.cioce.test.again.dns
+   âsender host name required, to match against *.cioce.test.again.dns
+   â looking up host name for ip4.ip4.ip4.ip4
+   â  DNS lookup of ip4-reverse.in-addr.arpa (PTR) using fakens
+   â  DNS lookup of ip4-reverse.in-addr.arpa (PTR) succeeded
+   â  Reverse DNS security status: unverified
+   â  IP address lookup yielded "the.local.host.name"
+   â  check dnssec require list
+   â   the.local.host.name not in empty list (option unset? cannot trace name)
+   â  check dnssec request list
+   â   the.local.host.name not in empty list (option unset? cannot trace name)
+   â  DNS lookup of the.local.host.name (A) using fakens
+   â  DNS lookup of the.local.host.name (A) succeeded
+   â  local host found for non-MX address
+   â  the.local.host.name ip4.ip4.ip4.ip4 mx=-1 sort=-151 
+   â  checking addresses for the.local.host.name
+   â  Forward DNS security status: unverified
   ip4.ip4.ip4.ip4 OK
- sender_fullhost = the.local.host.name (test) [ip4.ip4.ip4.ip4]
- sender_rcvhost = the.local.host.name ([ip4.ip4.ip4.ip4] helo=test)
- list element: cioce.test.again.dns
- using host_fake_gethostbyname for cioce.test.again.dns (IPv4)
- DNS lookup of cioce.test.again.dns (A) using fakens
- DNS lookup of cioce.test.again.dns (A) gave TRY_AGAIN
- cioce.test.again.dns in dns_again_means_nonexist?
-  list element: *
-  cioce.test.again.dns in dns_again_means_nonexist? yes (matched "*")
- cioce.test.again.dns is in dns_again_means_nonexist: returning DNS_NOMATCH
- DNS: couldn't fake dnsa len
- DNS: no SOA record found for neg-TTL
-  writing neg-cache entry for cioce.test.again.dns-A-xxxx, ttl -1
- host_fake_gethostbyname(af=inet) returned 1 (HOST_NOT_FOUND)
- no IP address found for host cioce.test.again.dns (during SMTP connection from the.local.host.name (test) [ip4.ip4.ip4.ip4])
+   âsender_fullhost = the.local.host.name (test) [ip4.ip4.ip4.ip4]
+   âsender_rcvhost = the.local.host.name ([ip4.ip4.ip4.ip4] helo=test)
+   âlist element: cioce.test.again.dns
+   âusing host_fake_gethostbyname for cioce.test.again.dns (IPv4)
+   âDNS lookup of cioce.test.again.dns (A) using fakens
+   âDNS lookup of cioce.test.again.dns (A) gave TRY_AGAIN
+   âcioce.test.again.dns in dns_again_means_nonexist?
+   â list element: *
+   â cioce.test.again.dns in dns_again_means_nonexist? yes (matched "*")
+   âcioce.test.again.dns is in dns_again_means_nonexist: returning DNS_NOMATCH
+   âDNS: couldn't fake dnsa len
+   âDNS: no SOA record found for neg-TTL
+   â writing neg-cache entry for cioce.test.again.dns-A-xxxx, ttl -1
+   âhost_fake_gethostbyname(af=inet) returned 1 (HOST_NOT_FOUND)
+   âno IP address found for host cioce.test.again.dns (during SMTP connection from the.local.host.name (test) [ip4.ip4.ip4.ip4])
 LOG: host_lookup_failed MAIN
   no IP address found for host cioce.test.again.dns (during SMTP connection from the.local.host.name (test) [ip4.ip4.ip4.ip4])
- failed to find IP address for cioce.test.again.dns: item ignored by +ignore_unknown
-host in "+ignore_unknown : *.cioce.test.again.dns : cioce.test.again.dns : "? no (end of list)
-accept: condition test failed in ACL rcpt
-end of ACL rcpt: implicit DENY
+   âhost in "*.cioce.test.again.dns : cioce.test.again.dns : "? no (failed to find IP address for cioce.test.again.dns)
+   end sublist goodhosts
+  host in "+ignore_unknown : +goodhosts"? no (end of list)
+ accept: condition test failed in ACL rcpt
+ end of ACL rcpt: implicit DENY
 SMTP>> 550 Administrative prohibition
 LOG: MAIN REJECT
   H=the.local.host.name (test) [ip4.ip4.ip4.ip4] F=<xx@cioce.test.again.dns> rejected RCPT <a@b>
@@ -108,7 +112,7 @@ SMTP<< quit
 SMTP>> 221 myhost.test.ex closing connection
 LOG: smtp_connection MAIN
   SMTP connection from the.local.host.name (test) [ip4.ip4.ip4.ip4] D=qqs closed by QUIT
-search_tidyup called
+ search_tidyup called
 >>>>>>>>>>>>>>>> Exim pid=p1234 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
 Exim version x.yz ....
 Hints DB:
@@ -140,7 +144,7 @@ host in smtp_accept_max_nonmail_hosts?
  list element: *
   host in smtp_accept_max_nonmail_hosts? yes (matched "*")
 using ACL "vrfy"
-processing ACL vrfy "warn" (TESTSUITE/test-config 28)
+processing ACL vrfy "warn" (TESTSUITE/test-config 32)
 check domains = +try_again_dns_list
 test.again.dns in "+try_again_dns_list"?
  list element: +try_again_dns_list
diff --git a/test/stderr/5410 b/test/stderr/5410
index dce73fa67..bd1e5d26f 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -531,7 +531,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
  â}}(Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -568,7 +567,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: (Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
@@ -1158,7 +1156,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
  â}}(Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -1195,7 +1192,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: (Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
@@ -1785,7 +1781,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
  â}}(Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -1822,7 +1817,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: (Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
diff --git a/test/stderr/5420 b/test/stderr/5420
index b96d91def..6fad569ad 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -31,6 +31,7 @@ try option acl_smtp_helo
  list element: *
   in limits_advertise_hosts? yes (matched "*")
  in dsn_advertise_hosts? no (option unset)
+try option acl_smtp_atrn
 try option acl_smtp_etrn
 try option acl_smtp_vrfy
 try option acl_smtp_expn
@@ -530,7 +531,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
  â}}(Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -567,7 +567,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: (Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
@@ -708,6 +707,7 @@ try option acl_smtp_helo
  list element: *
   in limits_advertise_hosts? yes (matched "*")
  in dsn_advertise_hosts? no (option unset)
+try option acl_smtp_atrn
 try option acl_smtp_etrn
 try option acl_smtp_vrfy
 try option acl_smtp_expn
@@ -1156,7 +1156,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
  â}}(Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -1193,7 +1192,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: (Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
@@ -1334,6 +1332,7 @@ try option acl_smtp_helo
  list element: *
   in limits_advertise_hosts? yes (matched "*")
  in dsn_advertise_hosts? no (option unset)
+try option acl_smtp_atrn
 try option acl_smtp_etrn
 try option acl_smtp_vrfy
 try option acl_smtp_expn
@@ -1782,7 +1781,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: ${ifâdef:tls_in_cipher_stdâ{âtlsâ$tls_in_cipher_stdâ©
  â}}(Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
@@ -1819,7 +1817,6 @@ try option received_header_text
   ââââââresult:  âskippedâ¶
   â°âââskipping: result is not used
  ââââitem-res: 
-            â°ââ(tainted)
  âconsidering: (Eximâ$version_number)â©
  â${ifâdef:sender_addressâ{(envelope-fromâ<$sender_address>)â©
  â}}idâ$message_exim_id${ifâdef:received_forâ{â©
-- 
2.30.2

