From: Phil Pennock Date: Fri, 25 Oct 2013 00:38:28 +0000 (-0400) Subject: Doc/Spec: section "Trust in configuration data" X-Git-Tag: exim-4_82^0 X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=69aca2feaca1ebbc55c6f1adaee4738dc328ae90 Doc/Spec: section "Trust in configuration data" --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ec01e1669..c71dfda73 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -35863,6 +35863,8 @@ are given in chapter &<>&. .new .section "Running local commands" "SECTsecconslocalcmds" +.cindex "security" "local commands" +.cindex "security" "command injection attacks" There are a number of ways in which an administrator can configure Exim to run commands based upon received, untrustworthy, data. Further, in some configurations a user who can control a &_.forward_& file can also arrange to @@ -35907,6 +35909,41 @@ Consider the use of the &%inlisti%& expansion condition instead. + +.new +.section "Trust in configuration data" "SECTsecconfdata" +.cindex "security" "data sources" +.cindex "security" "regular expressions" +.cindex "regular expressions" "security" +.cindex "PCRE" "security" +If configuration data for Exim can come from untrustworthy sources, there +are some issues to be aware of: + +.ilist +Use of &%${expand...}%& may provide a path for shell injection attacks. +.next +Letting untrusted data provide a regular expression is unwise. +.next +Using &%${match...}%& to apply a fixed regular expression against untrusted +data may result in pathological behaviour within PCRE. Be aware of what +"backtracking" means and consider options for being more strict with a regular +expression. Avenues to explore include limiting what can match (avoiding &`.`& +when &`[a-z0-9]`& or other character class will do), use of atomic grouping and +possessive quantifiers or just not using regular expressions against untrusted +data. +.next +It can be important to correctly use &%${quote:...}%&, +&%${quote_local_part:...}%& and &%${quote_%&<&'lookup-type'&>&%:...}%& expansion +items to ensure that data is correctly constructed. +.next +Some lookups might return multiple results, even though normal usage is only +expected to yield one result. +.endlist +.wen + + + + .section "IPv4 source routing" "SECID272" .cindex "source routing" "in IP packets" .cindex "IP source routing"