From f3ebb786e451da973560f1c9d8cdb151d25108b5 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 25 Jul 2019 12:06:07 +0100 Subject: Track tainted data and refuse to expand it --- test/stderr/5410 | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'test/stderr/5410') diff --git a/test/stderr/5410 b/test/stderr/5410 index 7978a0266..a554fd953 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -38,6 +38,7 @@ domain.com in "! +local_domains"? yes (end of list) ╭considering: $local_part ├──expanding: $local_part ╰─────result: userx + ╰──(tainted) domain.com in "*"? yes (matched "*") ----------- end verify ------------ accept: condition test succeeded in ACL "cutthrough" @@ -48,6 +49,7 @@ domain.com in "! +local_domains"? yes (end of list) ╭considering: $local_part ├──expanding: $local_part ╰─────result: userx + ╰──(tainted) domain.com in "*"? yes (matched "*") Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected ╭considering: $primary_hostname @@ -67,6 +69,7 @@ cmd buf flush ddd bytes ╭considering: $address_data}{usery}{*}{:}} ├──expanding: $address_data ╰─────result: userx + ╰──(tainted) ╭considering: usery}{*}{:}} ├──expanding: usery ╰─────result: usery @@ -86,6 +89,7 @@ cmd buf flush ddd bytes ╭considering: $address_data}{userz}{*}{:}} ├──expanding: $address_data ╰─────result: userx + ╰──(tainted) ╭considering: userz}{*}{:}} ├──expanding: userz ╰─────result: userz @@ -191,10 +195,12 @@ end of inline ACL: ACCEPT ╰─────result: (helo=myhost.test.ex) + ╰──(tainted) ├──expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) }} ╰─────result: from CALLER (helo=myhost.test.ex) + ╰──(tainted) ├──condition: def:received_protocol ├─────result: true ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std @@ -233,6 +239,7 @@ end of inline ACL: ACCEPT for $received_for ╰─────result: for userx@domain.com + ╰──(tainted) ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std @@ -245,6 +252,7 @@ end of inline ACL: ACCEPT (envelope-from ) id 10HmaX-0005vi-00 for userx@domain.com + ╰──(tainted) ----------- start cutthrough headers send ----------- ----------- done cutthrough headers send ------------ ╭considering: ${tod_full} @@ -305,6 +313,7 @@ domain.com in "! +local_domains"? yes (end of list) ╭considering: $local_part ├──expanding: $local_part ╰─────result: usery + ╰──(tainted) domain.com in "*"? yes (matched "*") ----------- end verify ------------ accept: condition test succeeded in ACL "cutthrough" @@ -315,6 +324,7 @@ domain.com in "! +local_domains"? yes (end of list) ╭considering: $local_part ├──expanding: $local_part ╰─────result: usery + ╰──(tainted) domain.com in "*"? yes (matched "*") Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected ╭considering: $primary_hostname @@ -334,6 +344,7 @@ cmd buf flush ddd bytes ╭considering: $address_data}{usery}{*}{:}} ├──expanding: $address_data ╰─────result: usery + ╰──(tainted) ╭considering: usery}{*}{:}} ├──expanding: usery ╰─────result: usery @@ -427,10 +438,12 @@ end of inline ACL: ACCEPT ╰─────result: (helo=myhost.test.ex) + ╰──(tainted) ├──expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) }} ╰─────result: from CALLER (helo=myhost.test.ex) + ╰──(tainted) ├──condition: def:received_protocol ├─────result: true ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std @@ -469,6 +482,7 @@ end of inline ACL: ACCEPT for $received_for ╰─────result: for usery@domain.com + ╰──(tainted) ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std @@ -481,6 +495,7 @@ end of inline ACL: ACCEPT (envelope-from ) id 10HmaZ-0005vi-00 for usery@domain.com + ╰──(tainted) ----------- start cutthrough headers send ----------- ----------- done cutthrough headers send ------------ ╭considering: ${tod_full} @@ -541,6 +556,7 @@ domain.com in "! +local_domains"? yes (end of list) ╭considering: $local_part ├──expanding: $local_part ╰─────result: usery + ╰──(tainted) domain.com in "*"? yes (matched "*") ----------- end verify ------------ accept: condition test succeeded in ACL "cutthrough" @@ -551,6 +567,7 @@ domain.com in "! +local_domains"? yes (end of list) ╭considering: $local_part ├──expanding: $local_part ╰─────result: usery + ╰──(tainted) domain.com in "*"? yes (matched "*") Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected ╭considering: $primary_hostname @@ -570,6 +587,7 @@ cmd buf flush ddd bytes ╭considering: $address_data}{usery}{*}{:}} ├──expanding: $address_data ╰─────result: usery + ╰──(tainted) ╭considering: usery}{*}{:}} ├──expanding: usery ╰─────result: usery @@ -663,10 +681,12 @@ end of inline ACL: ACCEPT ╰─────result: (helo=myhost.test.ex) + ╰──(tainted) ├──expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) }} ╰─────result: from CALLER (helo=myhost.test.ex) + ╰──(tainted) ├──condition: def:received_protocol ├─────result: true ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std @@ -705,6 +725,7 @@ end of inline ACL: ACCEPT for $received_for ╰─────result: for usery@domain.com + ╰──(tainted) ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std @@ -717,6 +738,7 @@ end of inline ACL: ACCEPT (envelope-from ) id 10HmbB-0005vi-00 for usery@domain.com + ╰──(tainted) ----------- start cutthrough headers send ----------- ----------- done cutthrough headers send ------------ ╭considering: ${tod_full} -- cgit v1.2.3