summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2016-05-04 16:09:52 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2016-05-04 16:33:22 +0100
commit0bd1b1ed8a1aaf9dcd5bdf30afe38f15aba344a0 (patch)
treef48d8d639bef99c29448e1c09a84108165ab2f15
parent76075bb5445f3e4021b0c3b444ea0eaf599a3fdd (diff)
Avoid exposing passwords in log, on failing ldap lookup expansion. Bug 165
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--src/src/deliver.c4
-rw-r--r--src/src/rewrite.c18
3 files changed, 24 insertions, 1 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 272176cc8..4171d61c4 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -26,6 +26,9 @@ JH/04 Bug 1810: make continued-use of an open smtp transport connection
JH/05 If main configuration option tls_certificate is unset, generate a
selfsigned certificate for inbound TLS connections.
+JH/06 Bug 165: hide more cases of password exposure - this time in expansions
+ in rewrites.
+
Exim version 4.87
-----------------
diff --git a/src/src/deliver.c b/src/src/deliver.c
index a1fb602e9..c6de1b901 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1087,10 +1087,12 @@ if (addr->message)
|| Ustrstr(s, "redis") != NULL
|| Ustrstr(s, "sqlite") != NULL
|| Ustrstr(s, "ldap:") != NULL
+ || Ustrstr(s, "ldaps:") != NULL
+ || Ustrstr(s, "ldapi:") != NULL
|| Ustrstr(s, "ldapdn:") != NULL
|| Ustrstr(s, "ldapm:") != NULL
) )
- addr->message = string_sprintf("Temporary internal error");
+ addr->message = US"Temporary internal error";
}
/* If we used a transport that has one of the "return_output" options set, and
diff --git a/src/src/rewrite.c b/src/src/rewrite.c
index ca7fb6a11..f2a7ff273 100644
--- a/src/src/rewrite.c
+++ b/src/src/rewrite.c
@@ -205,6 +205,24 @@ for (rule = rewrite_rules;
{
if (expand_string_forcedfail)
{ if ((rule->flags & rewrite_quit) != 0) break; else continue; }
+
+ /* Avoid potentially exposing a password */
+
+ if ( ( Ustrstr(expand_string_message, "failed to expand") != NULL
+ || Ustrstr(expand_string_message, "expansion of ") != NULL
+ )
+ && ( Ustrstr(expand_string_message, "mysql") != NULL
+ || Ustrstr(expand_string_message, "pgsql") != NULL
+ || Ustrstr(expand_string_message, "redis") != NULL
+ || Ustrstr(expand_string_message, "sqlite") != NULL
+ || Ustrstr(expand_string_message, "ldap:") != NULL
+ || Ustrstr(expand_string_message, "ldaps:") != NULL
+ || Ustrstr(expand_string_message, "ldapi:") != NULL
+ || Ustrstr(expand_string_message, "ldapdn:") != NULL
+ || Ustrstr(expand_string_message, "ldapm:") != NULL
+ ) )
+ expand_string_message = US"Temporary internal error";
+
log_write(0, LOG_MAIN|LOG_PANIC, "Expansion of %s failed while rewriting: "
"%s", rule->replacement, expand_string_message);
break;