diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2020-06-29 17:14:07 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2020-06-29 17:14:07 +0100 |
| commit | 62b2ccce05a9a3127736d84d20e2bbe7b0885287 (patch) | |
| tree | aeeb468c4f6215ae272863f5582373832e88a121 | |
| parent | 3d0472791a0928963a3f8184fe28479e80d1a47d (diff) | |
Taint: fix ACL "spam" condition, to permit tainted name arguments.
| -rw-r--r-- | doc/doc-txt/ChangeLog | 4 | ||||
| -rw-r--r-- | src/src/spam.c | 26 |
2 files changed, 13 insertions, 17 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index b2b9a74b8..41a9629cf 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -69,6 +69,10 @@ JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename was given for the sqlite_dbfile a trap resulted. +JH/15 Fix "spam" ACL condition. Previously, tainted values for the "name" + argument resulted in a trap. There is no reason to disallow such; this + was a coding error. + Exim version 4.94 ----------------- diff --git a/src/src/spam.c b/src/src/spam.c index 5eff1ad5c..bd34dba82 100644 --- a/src/src/spam.c +++ b/src/src/spam.c @@ -190,7 +190,6 @@ spam(const uschar **listptr) int sep = 0; const uschar *list = *listptr; uschar *user_name; -uschar user_name_buffer[128]; unsigned long mbox_size; FILE *mbox_file; client_conn_ctx spamd_cctx = {.sock = -1}; @@ -218,17 +217,14 @@ spamd_address_container * sd; result = 0; /* find the username from the option list */ -if ((user_name = string_nextinlist(&list, &sep, - user_name_buffer, - sizeof(user_name_buffer))) == NULL) +if (!(user_name = string_nextinlist(&list, &sep, NULL, 0))) { /* no username given, this means no scanning should be done */ return FAIL; } /* if username is "0" or "false", do not scan */ -if ( (Ustrcmp(user_name,"0") == 0) || - (strcmpic(user_name,US"false") == 0) ) +if (Ustrcmp(user_name, "0") == 0 || strcmpic(user_name, US"false") == 0) return FAIL; /* if there is an additional option, check if it is "true" */ @@ -237,19 +233,15 @@ if (strcmpic(list,US"true") == 0) override = 1; /* expand spamd_address if needed */ -if (*spamd_address == '$') +if (*spamd_address != '$') + spamd_address_work = spamd_address; +else if (!(spamd_address_work = expand_string(spamd_address))) { - spamd_address_work = expand_string(spamd_address); - if (spamd_address_work == NULL) - { - log_write(0, LOG_MAIN|LOG_PANIC, - "%s spamd_address starts with $, but expansion failed: %s", - loglabel, expand_string_message); - return DEFER; - } + log_write(0, LOG_MAIN|LOG_PANIC, + "%s spamd_address starts with $, but expansion failed: %s", + loglabel, expand_string_message); + return DEFER; } -else - spamd_address_work = spamd_address; DEBUG(D_acl) debug_printf_indent("spamd: addrlist '%s'\n", spamd_address_work); |