Resolve "Amavis::Util: can't obtain a tainted string at /usr/sbin/amavisd line 2935." (!91) · Merge requests · amavis / amavis

dlucredativ requested to merge 85-cannot-obtain-tainted-string into master Jan 27, 2022

Prior to v2.12.2 amavis did the following in given order:

use $ENV{HOME} and $ENV{PATH} as external sources for tainted data.
undefine $ENV{PATH}
read config files
define $ENV{PATH} by $path confvar.

v2.12.2 introduces a config readability check via !75 (merged). The workflow changed to:

use $ENV{HOME} and $ENV{PATH} as external sources of tainted data.
undefine $ENV{PATH}
read config files
define several TEST_AMAVIS_CONFIG* environment variables.
execute itself with dropped privileges:
- use $ENV{HOME} and $ENV{PATH} as external sources for tainted data.
- ...
- try to read config files
- exit with exit-code depending on success of previous step
define $ENV{PATH} by $path confvar.

In the first step of executing itself, $ENV{PATH} is undefined, unless it has been defined by user config, and $ENV{HOME} may be undefined on operating systems which leave the task of dropping privileges for amavis.

This MR simply adds $ENV{TEST_AMAVIS_CONFIG} as an additional source of tained data.

Edited Jan 27, 2022 by dlucredativ

Resolve "Amavis::Util: can't obtain a tainted string at /usr/sbin/amavisd line 2935."

Merge request reports