summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2016-05-06 13:07:18 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2016-05-06 13:38:56 +0100
commitf42deca923414cedcbb6d6646afbef460f50080c (patch)
tree8f1e90b66113e61ee85ec958e2ba2cd37e641255
parent0bd1b1ed8a1aaf9dcd5bdf30afe38f15aba344a0 (diff)
Avoid exposing passwords in log, on failing ldap lookup expansion. Bug 165
-rw-r--r--doc/doc-txt/ChangeLog2
-rw-r--r--src/src/deliver.c20
-rw-r--r--src/src/expand.c23
-rw-r--r--src/src/functions.h1
-rw-r--r--src/src/rewrite.c17
-rw-r--r--src/src/route.c17
6 files changed, 31 insertions, 49 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 4171d61c4..3bf6fc908 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -27,7 +27,7 @@ JH/05 If main configuration option tls_certificate is unset, generate a
selfsigned certificate for inbound TLS connections.
JH/06 Bug 165: hide more cases of password exposure - this time in expansions
- in rewrites.
+ in rewrites and routers.
Exim version 4.87
diff --git a/src/src/deliver.c b/src/src/deliver.c
index c6de1b901..743fc83e8 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1076,23 +1076,9 @@ malformed, it won't ever have gone near LDAP.) */
if (addr->message)
{
const uschar * s = string_printing(addr->message);
- if (s != addr->message)
- addr->message = US s;
- /* deconst cast ok as string_printing known to have alloc'n'copied */
- if ( ( Ustrstr(s, "failed to expand") != NULL
- || Ustrstr(s, "expansion of ") != NULL
- )
- && ( Ustrstr(s, "mysql") != NULL
- || Ustrstr(s, "pgsql") != NULL
- || Ustrstr(s, "redis") != NULL
- || Ustrstr(s, "sqlite") != NULL
- || Ustrstr(s, "ldap:") != NULL
- || Ustrstr(s, "ldaps:") != NULL
- || Ustrstr(s, "ldapi:") != NULL
- || Ustrstr(s, "ldapdn:") != NULL
- || Ustrstr(s, "ldapm:") != NULL
- ) )
- addr->message = US"Temporary internal error";
+
+ /* deconst cast ok as string_printing known to have alloc'n'copied */
+ addr->message = expand_hide_passwords(US s);
}
/* If we used a transport that has one of the "return_output" options set, and
diff --git a/src/src/expand.c b/src/src/expand.c
index fbbc56316..f783682b4 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -7631,6 +7631,29 @@ return OK;
+/* Avoid potentially exposing a password in a string about to be logged */
+
+uschar *
+expand_hide_passwords(uschar * s)
+{
+return ( ( Ustrstr(s, "failed to expand") != NULL
+ || Ustrstr(s, "expansion of ") != NULL
+ )
+ && ( Ustrstr(s, "mysql") != NULL
+ || Ustrstr(s, "pgsql") != NULL
+ || Ustrstr(s, "redis") != NULL
+ || Ustrstr(s, "sqlite") != NULL
+ || Ustrstr(s, "ldap:") != NULL
+ || Ustrstr(s, "ldaps:") != NULL
+ || Ustrstr(s, "ldapi:") != NULL
+ || Ustrstr(s, "ldapdn:") != NULL
+ || Ustrstr(s, "ldapm:") != NULL
+ ) )
+ ? US"Temporary internal error" : s;
+}
+
+
+
/*************************************************
**************************************************
diff --git a/src/src/functions.h b/src/src/functions.h
index 454037fe1..f690e9fd9 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -180,6 +180,7 @@ extern int exp_bool(address_item *addr,
extern BOOL expand_check_condition(uschar *, uschar *, uschar *);
extern uschar *expand_string(uschar *); /* public, cannot make const */
extern const uschar *expand_cstring(const uschar *); /* ... so use this one */
+extern uschar *expand_hide_passwords(uschar * );
extern uschar *expand_string_copy(const uschar *);
extern int_eximarith_t expand_string_integer(uschar *, BOOL);
extern void modify_variable(uschar *, void *);
diff --git a/src/src/rewrite.c b/src/src/rewrite.c
index f2a7ff273..830d2bb8d 100644
--- a/src/src/rewrite.c
+++ b/src/src/rewrite.c
@@ -206,22 +206,7 @@ for (rule = rewrite_rules;
if (expand_string_forcedfail)
{ if ((rule->flags & rewrite_quit) != 0) break; else continue; }
- /* Avoid potentially exposing a password */
-
- if ( ( Ustrstr(expand_string_message, "failed to expand") != NULL
- || Ustrstr(expand_string_message, "expansion of ") != NULL
- )
- && ( Ustrstr(expand_string_message, "mysql") != NULL
- || Ustrstr(expand_string_message, "pgsql") != NULL
- || Ustrstr(expand_string_message, "redis") != NULL
- || Ustrstr(expand_string_message, "sqlite") != NULL
- || Ustrstr(expand_string_message, "ldap:") != NULL
- || Ustrstr(expand_string_message, "ldaps:") != NULL
- || Ustrstr(expand_string_message, "ldapi:") != NULL
- || Ustrstr(expand_string_message, "ldapdn:") != NULL
- || Ustrstr(expand_string_message, "ldapm:") != NULL
- ) )
- expand_string_message = US"Temporary internal error";
+ expand_string_message = expand_hide_passwords(expand_string_message);
log_write(0, LOG_MAIN|LOG_PANIC, "Expansion of %s failed while rewriting: "
"%s", rule->replacement, expand_string_message);
diff --git a/src/src/route.c b/src/src/route.c
index b289b0f34..f7a532567 100644
--- a/src/src/route.c
+++ b/src/src/route.c
@@ -1897,21 +1897,8 @@ if (unseen && r->next)
/* Unset the address expansions, and return the final result. */
ROUTE_EXIT:
-if ( yield == DEFER
- && addr->message
- && ( Ustrstr(addr->message, "failed to expand") != NULL
- || Ustrstr(addr->message, "expansion of ") != NULL
- )
- && ( Ustrstr(addr->message, "mysql") != NULL
- || Ustrstr(addr->message, "pgsql") != NULL
- || Ustrstr(addr->message, "redis") != NULL
- || Ustrstr(addr->message, "sqlite") != NULL
- || Ustrstr(addr->message, "ldap:") != NULL
- || Ustrstr(addr->message, "ldapdn:") != NULL
- || Ustrstr(addr->message, "ldapm:") != NULL
- )
- )
- addr->message = string_sprintf("Temporary internal error");
+if (yield == DEFER && addr->message)
+ addr->message = expand_hide_passwords(addr->message);
deliver_set_expansions(NULL);
router_name = NULL;