Don't open spool data-files which are symlinks

author: Phil Pennock <pdp@exim.org> 2018-05-15 19:04:34 -0400
committer: Phil Pennock <pdp@exim.org> 2018-05-15 19:04:34 -0400
commit: 85defcf0e9e4187107b8a1a5138ef9590ac3892c (patch)
tree: 662e6ddbf5df16c42bf423c270aabb9cfb1ea156 /src
parent: 97e939dfe2ea44a6e243ff6f489790ccd94f39ee (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 33890c516..cd74d1ee7 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -57,10 +57,18 @@ for (i = 0; i < 2; i++)
   fname = spool_fname(US"input", message_subdir, id, US"-D");
   DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
 
+  /* We protect against symlink attacks both in not propagating the
+   * file-descriptor to other processes as we exec, and also ensuring that we
+   * don't even open symlinks.
+   * No -D file inside the spool area should be a symlink.
+   */
   if ((fd = Uopen(fname,
 #ifdef O_CLOEXEC
 		      O_CLOEXEC |
 #endif
+#ifdef O_NOFOLLOW
+		      O_NOFOLLOW |
+#endif
 		      O_RDWR | O_APPEND, 0)) >= 0)
     break;
   save_errno = errno;
author	Phil Pennock <pdp@exim.org>	2018-05-15 19:04:34 -0400
committer	Phil Pennock <pdp@exim.org>	2018-05-15 19:04:34 -0400
commit	85defcf0e9e4187107b8a1a5138ef9590ac3892c (patch)
tree	662e6ddbf5df16c42bf423c270aabb9cfb1ea156 /src
parent	97e939dfe2ea44a6e243ff6f489790ccd94f39ee (diff)