Tainted name '/etc/exim/filepath' for file read not permitted

Question

Here my filter in centos is not working can anyone help me with it.

soft@204.compilor.com cannot be resolved at this time: Tainted name '/etc/exim/users/soft/204.compilor.com/soft/filter' for file read not permitted

This is my issue which I get

My router

email_filter:
    driver = redirect
    allow_filter
    allow_fail
    forbid_filter_run
    forbid_filter_perl
    forbid_filter_lookup
    forbid_filter_readfile
    forbid_filter_readsocket
    no_check_local_user
    domains = lsearch;/etc/userdomains
    require_files = "/etc/exim/users/${lookup{$domain}lsearch{/etc/userdomains}{$value}}/${perl{untaint}{$domain}}/${local_part}/filter"
    condition = "${extract \
        {size} \
        {${stat:/etc/exim/users/${lookup{$domain}lsearch{/etc/userdomains}{$value}}/${perl{untaint}{$domain}}/${local_part}/filter}} \
    }"
    file = /etc/exim/users/${lookup{$domain}lsearch{/etc/userdomains}{$value}}/${perl{untaint}{$domain}}/${local_part}/filter
    file_transport = address_file
    directory_transport = address_directory
    reply_transport = address_reply
    router_home_directory = ${extract \
        {5} \
        {::} \
        {${lookup passwd \
            {${lookup \
                {$domain} \
                lsearch{/etc/userdomains} \
                {$value} \
            }} \
            {$value} \
        }} \
    }
    user = "${lookup \
        {$domain} \
        lsearch{/etc/userdomains} \
        {$value} \
    }"
    group = "${lookup \
        {$domain} \
        lsearch{/etc/userdomains} \
        {$value} \
    }"
    local_part_suffix = +*
    local_part_suffix_optional
    retry_use_local_part
    no_verify

So here my filters are not working showing this error to me I am not getting about the tained part I had tried all possible from myself

I don't know what you are trying to do, but in Perl, "taint" refers to security. When taint control is active, input that has been obtained through insecure sources must be de-tainted before it can be used. Read more in [perldoc perlsec](https://perldoc.perl.org/perlsec#Taint-mode) — TLP, Jul 20 '22 at 16:37

score 1 · Accepted Answer · answered Jul 23 '22 at 11:07

So here I solved this issue by detaining the tained variable.

Here You can use perl untaint like this

${perl{untaint}{$local_part}}

It is also fine but there might be some security risk so I define this line to detaint my local part and domain

BADCHARS = \N[^A-Za-z0-9_.-]+\N
SAFELOCALPART = ${lookup{${sg{$local_part}{BADCHARS}{_}}} lsearch*,ret=key{/etc/userdomains}}
SAFEDOMAIN = ${lookup{${sg{$domain}{BADCHARS}{_}}} lsearch*,ret=key{/etc/userdomains}}

So after this my router is

email_filter:
    driver = redirect
    allow_filter
    allow_fail
    forbid_filter_run
    forbid_filter_perl
    forbid_filter_lookup
    forbid_filter_readfile
    forbid_filter_readsocket
    no_check_local_user
    domains = lsearch;/etc/userdomains
    require_files = "/etc/exim/users/${lookup{SAFEDOMAIN}lsearch{/etc/userdomains}{$value}}/SAFEDOMAIN/SAFELOCALPART/filter"
    condition = "${extract \
        {size} \
        {${stat:/etc/exim/users/${lookup{SAFEDOMAIN}lsearch{/etc/userdomains}{$value}}/SAFEDOMAIN/SAFELOCALPART/filter}} \
    }"
    file = /etc/exim/users/${lookup{SAFEDOMAIN}lsearch{/etc/userdomains}{$value}}/SAFEDOMAIN/SAFELOCALPART/filter
    file_transport = address_file
    directory_transport = address_directory
    reply_transport = address_reply
    router_home_directory = ${extract \
        {5} \
        {::} \
        {${lookup passwd \
            {${lookup \
                {$domain} \
                lsearch{/etc/userdomains} \
                {$value} \
            }} \
            {$value} \
        }} \
    }
    user = "${lookup \
        {$domain} \
        lsearch{/etc/userdomains} \
        {$value} \
    }"
    group = "${lookup \
        {$domain} \
        lsearch{/etc/userdomains} \
        {$value} \
    }"
    local_part_suffix = +*
    local_part_suffix_optional
    retry_use_local_part
    no_verify

Hope anyone facing same issue will be able to now solve this issue

score 1 · Answer 2 · answered Apr 10 '23 at 18:51

I found out that in this case the issue seems to be in Exim 4.94 and newer that you need to replace {$domain} with {$domain_data}

See https://serverfault.com/questions/1025924/exim-tainted-filename-for-search-sender-verify-defer-for-failed-to-expand/1128358#1128358

Tainted name '/etc/exim/filepath' for file read not permitted

2 Answers2