diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2021-04-25 13:02:01 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2021-04-25 21:40:07 +0100 |
| commit | 82fecf8fd8f749abfc538a06d9eefc7119e014ae (patch) | |
| tree | f049e6a456201c630e2fbd1312491088806e06d4 | |
| parent | b9ab1e966ed95017bd6fc45acd04e09ec0c128ed (diff) | |
Taint: enforce untainted ACL text line
| -rw-r--r-- | doc/doc-txt/ChangeLog | 4 | ||||
| -rw-r--r-- | src/src/acl.c | 28 |
2 files changed, 24 insertions, 8 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 916a4c470..68cec8531 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -241,6 +241,10 @@ JH/50 Bug 2672: QT elements in log lines, unless disabled, now exclude the The historical behaviour can be restored by disabling (a new) log_selector "queue_time_exclusive". +JH/51 Taint-check ACL line. Previously, only filenames (for out-of-line ACL + content) were specifically tested for. Now, also cover epxansions + rerulting in acl names and inline ACL content. + Exim version 4.94 diff --git a/src/src/acl.c b/src/src/acl.c index 2f20821c2..ce8d2189f 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -4088,6 +4088,26 @@ while (isspace(*ss)) ss++; acl_text = ss; +#ifdef notyet_taintwarn +if ( !f.running_in_test_harness + && is_tainted2(acl_text, LOG_MAIN|LOG_PANIC, + "attempt to use tainted ACL text \"%s\"", acl_text)) + { + /* Avoid leaking info to an attacker */ + *log_msgptr = US"internal configuration error"; + return ERROR; + } +#else +if (is_tainted(acl_text) && !f.running_in_test_harness) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "attempt to use tainted ACL text \"%s\"", acl_text); + /* Avoid leaking info to an attacker */ + *log_msgptr = US"internal configuration error"; + return ERROR; + } +#endi + /* Handle the case of a string that does not contain any spaces. Look for a named ACL among those read from the configuration, or a previously read file. It is possible that the pointer to the ACL is NULL if the configuration @@ -4111,14 +4131,6 @@ if (Ustrchr(ss, ' ') == NULL) else if (*ss == '/') { struct stat statbuf; - if (is_tainted(ss)) - { - log_write(0, LOG_MAIN|LOG_PANIC, - "attempt to open tainted ACL file name \"%s\"", ss); - /* Avoid leaking info to an attacker */ - *log_msgptr = US"internal configuration error"; - return ERROR; - } if ((fd = Uopen(ss, O_RDONLY, 0)) < 0) { *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss, |