diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2020-07-13 13:46:14 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2020-07-13 13:53:44 +0100 |
commit | 532800c8bf0e4bc2c27739477e70e0d7eef7df21 (patch) | |
tree | 8f1347c7b117e1c04d9d89d5b3b0e9343761e350 | |
parent | 040494b780a1f6db9f7dba0058c29e975241c1b0 (diff) |
Taint: fix ACL "spam" condition, to permit tainted name arguments
Follow-on from: 62b2ccce05
-rw-r--r-- | doc/doc-txt/ChangeLog | 6 | ||||
-rw-r--r-- | src/src/spam.c | 15 |
2 files changed, 10 insertions, 11 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 6d688d1b4..60627364d 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -69,9 +69,9 @@ JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename was given for the sqlite_dbfile a trap resulted. -JH/15 Fix "spam" ACL condition. Previously, tainted values for the "name" - argument resulted in a trap. There is no reason to disallow such; this - was a coding error. +JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the + "name" argument resulted in a trap. There is no reason to disallow such; + this was a coding error. JH/16 Bug 2615: Fix pause during message reception, on systems that have been suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time diff --git a/src/src/spam.c b/src/src/spam.c index bd34dba82..3318bff49 100644 --- a/src/src/spam.c +++ b/src/src/spam.c @@ -18,7 +18,7 @@ uschar spam_score_int_buffer[16]; uschar spam_bar_buffer[128]; uschar spam_action_buffer[32]; uschar spam_report_buffer[32600]; -uschar prev_user_name[128] = ""; +uschar * prev_user_name = NULL; int spam_ok = 0; int spam_rc = 0; uschar *prev_spamd_address_work = NULL; @@ -388,13 +388,12 @@ if (sd->is_rspamd) } else { /* spamassassin variant */ - (void)string_format(spamd_buffer, - sizeof(spamd_buffer), - "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n", - user_name, - mbox_size); + int n; + uschar * s = string_sprintf( + "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n%n", + user_name, mbox_size, &n); /* send our request */ - wrote = send(spamd_cctx.sock, spamd_buffer, Ustrlen(spamd_buffer), 0); + wrote = send(spamd_cctx.sock, s, n, 0); } if (wrote == -1) @@ -625,7 +624,7 @@ if (spamd_address_work != spamd_address) prev_spamd_address_work = string_copy(spamd_address_work); /* remember user name and "been here" for it */ -Ustrcpy(prev_user_name, user_name); +prev_user_name = user_name; spam_ok = 1; return override |