On 17.06.24 12:57, Célestin Matte wrote:
> Update:
> Fix for pgarchives' load_message.py is pretty straightforward: exim
> provides the untainted version of $local_part, $local_part_data. Same
> for $domain and $domain_data.
> Pglister's inject.py is a tougher situation. I can't seem to get an
> untainted version of $sender_address and $header_message-id.
>
> However, replacing them with fake values does get things delivered
> properly. I'm starting to wonder if we really need these values. Why
> does inject.py need them for exactly? Header-message-id seems to only be
> displayed in the moderation queue, and sender address is correctly
> retrieved anyway (or is it just for the "envelope:" field of the
> moderation queue?).
>
>> Maybe we could have a switch to inject that picks these up from the
>> environment: I *think* most of those are actually made available by
>> default as environment variables in exim if I understand
>> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html>point 4 correct. Or would those
havethe same problems with tainting?
>>
>> AIUI the only thing we couldn't get that way might be the message-id?
>> The question is, can we add that to the environment without getting
>> into taint problems?
>
> Can't get that to work (${env{SENDER_ADDRESS}} or SENDER is replaced by
> an empty value). I could keep trying, but that still wouldn't solve the
> problem for $header_message-id.
SENDER_ADDRESS is not among the default set of environment variables -
did you actually add them in the pipe transport using an environment =
stanza?
Stefan
